[ previous ] [ next ] [ threads ]
 From:  Frederick Page <fpage at thebetteros dot oche dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Reject or Deny?
 Date:  Tue, 28 Jun 2005 21:25:29 +0200
Hallo Chris,

Chris Buechler schrieb am 28. June 2005:

>>As you know, there is no such thing as "stealth", a timeout is just
>>as good a confirmation as a reject. If there really was no host, the
>>router in front of it would have said "nobody here".
>"nobody here" being a destination unreachable?

Yes, ICMP type 3, code 1 (host not reachable). But your next router
would need to send that answer, not you of course ;)

>IP's that aren't live show up exactly like "stealth" IP's.

I cannot speak for every possible mis-configured network, but a probe
to a dead IP should be answered with ICMP 3, code 1 by the next router
in "front" of it. However I just pinged some non-existing IPs
(internal and external) and indeed got timeouts. So either my memory
serves me wrong, or something has changed :-(

>>But what those "stealth" people do (your words: "invisible from anyone
>>probing"), is ruin good things like Path MTU discovery, because they
>>also block ICMP type 3 (fragmentation needed, but DF flag set).
>It doesn't break PMTUD.  At least not with IPFilter.

Say some "cleverly stealthed" httpd server would send 1500 MTU with DF
flag (standard). Since I am on PPPoE I can only accept 1492 MTU. So
m0n0wall would send an ICMP type 3 (fragmentation needed, but DF
(don't fragment flag) set) to that httpd. Since this one is
"stealthed" (denies incoming ICMP), it will never re-transmit the
packets, because it never got my cry for help. My browser would simply
hang :-(

I know that m0n0wall itself is much cleverer and still accepts some
ICMP, even if the user has disabled it. But unfortunately there are
lots of bad concepts out there (e.g. Microsoft XP SP2 "firewall") that
really block all ICMP.

>But yes, usually if you drop off all incoming ICMP because you're
>under the impression that all ICMP is inherently evil, you're going
>to break stuff.

That is exactly my point. Yes, m0n0wall is much clever ;)

>>(...) there is no such thing as "stealth". A timeout means the
>>machine is there, just as a reject.

>Not from everything I've tested.  You get a timeout if there's nothing
>there or if there's a "stealth" firewall there.

Hm, I was obviously wrong :-( I just pinged some non-existing
192.168.x.x addresses and got timeout. Same with e.g.

Thanks for getting back to me, another thing learned ;)

Best regards  Frederick