On 6/28/05, Frederick Page <fpage at thebetteros dot oche dot de> wrote:
> 
> Gee Chris, I am very much surprised to read this from somebody like
> you. As you know, there is no such thing as "stealth", a timeout is
> just as good a confirmation as a reject. If there really was no
> host, the router in front of it would have said "nobody here".
> 

"nobody here" being a destination unreachable?  Unless it gets to a
point where it can't be routed any further, you shouldn't see that (I
tried a few routers to verify and didn't see that).  What I see is
exactly as I said, IP's that aren't live show up exactly like
"stealth" IP's.


> I agree that a timeout annoys a possible intruder more than a reject.
> 
> But what those "stealth" people do (your words: "invisible from anyone
> probing"), is ruin good things like Path MTU discovery, because they
> also block ICMP type 3 (fragmentation needed, but DF flag set).
> 

It doesn't break PMTUD.  At least not with IPFilter.  Those will get
back in via the state table.  But yes, usually if you drop off all
incoming ICMP because you're under the impression that all ICMP is
inherently evil, you're going to break stuff.


> >If you want to be polite, sure, use reject. But the Internet hasn't
> >been a polite place for quite some time.
> 
> That is no good reason to be just as rude? You don't mug people just
> because that's quite common around your neighbourhood? 

Bad analogy.  If people tried to mug me a thousand times a day, I'd
hide from them too.  I wouldn't care if it'd be inconvienent for them
that I was hiding.  :)


> Gee Chris, there is no such thing as "stealth". A timeout means the
> machine is there, just as a reject.
> 

Not from everything I've tested.  You get a timeout if there's nothing
there or if there's a "stealth" firewall there.  I'm sure there are
exceptions under certain circumstances, but the T3, two T1's, and
cable modem I just tested (4 different locations and ISP's) all behave
exactly as I described.

-Chris