Re: [44net] non-operational gateways

Marius, Not delusional at all, in my security instance, if I were to have IPENCAP closed, I wouldn't configure my device to send ICMP Unreachable messages for it. The perceived gain is that my router doesn't use CPU resources to process a packet I don't want. This is a common configuration of a Firewall that Drops by default - I'm not "forcing" my firewall to do it. It takes additional configuration to accept-then-reject. The drop by default is helpful in scenarios like a DDoS attack at the border attempting to use you for an amplification attack. - For example, If I don't have SSH open, I won't send ICMP Port Unreachable if a scanner or hacker attempts to connect. Besides, a scanner is probably ignoring them and looking for SYN-ACKs only. - For something like PMTU Discovery, I simply allow ICMP - Fragmentation Needed messages. - On AMPR, the operators have made a troubleshooting case for a need to Ping me, so I permit ICMP Echo Request from your GW IPs and 44 allocations. - Traceroute causes CPU resources to be used on my router or other downstream devices, even for a destination IP other than itself, so I block TTLs >= 7. - In any case, unsolicited packets on my WAN are not considered "legitimate" to me, so DROPping is OK. - In all cases, outbound is allowed, so the reverse path is OK. http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject When reading this link, recall: - I have 0 "legitimate users" on the WAN - The only knowledge I'm giving to an attacker whom I drop is my IP, which they already possess - I WANT port scans to fail, even from the LAN (the writer makes an opposite assumption) 73, - Lynwood KB3VWG