Re: ssh tunneling
On Mon, 25 Aug 2003 17:44:32 -0400,
Derrick 'dman' Hudson <dman@dman13.dyndns.org> wrote in message
<[🔎] 20030825214432.GA9936@dman13.dyndns.org>:
> On Mon, Aug 25, 2003 at 02:10:12PM -0700, Steve Lamb wrote:
> | On Mon, 25 Aug 2003 13:51:37 -0500 "P. Kallakuri"
> | <praveen@unlserve.unl.edu> wrote:
>
> | > i cannot find what process is keeping them. i know that i disabled
> | > ICMP requests on my gateway,
> |
> | Ungh. Why? Why disable ICMP. I never figured that one out.
> | Anything goes wrong with that line and you'll need to remember to
> | turn it back on so as not to waste the tech's time. "Uh, I can't
> | ping your machine, are you sure it is plugged in?" "Oh, wait, hold
> | on, I turned off that diagnostic tool."
>
> Disabling ICMP causes worse problems than the scenario Steve
> described. Suppose you are trying to connect to a remote system, but
> the server is "partially" down. (for example you are trying to use
> HTTP but their web server isn't running) Instead of an immediate
> "Connection Refused" message, you'll sit for around 2 minutes before
> you get a "Connection Timed Out" message. Why? Well, Connection
> Refused is indicated by an ICMP packet but you never pass those on to
> the application. The application then sees nothing until the timeout
> timer expires. ICMP is extremely useful and is, in fact, required for
> correct operation of TCP and IP. Do not block ICMP.
..no rule witout exeption: these 2 minutes _are_ useful in tarpits,
to help slow vira propagation: http://labrea.sourceforge.net/ and
http://netfilter.org/documentation/pomlist/pom-extra.html#ipt_TARPIT
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
Reply to: