24 May
2017
24 May
'17
1:57 p.m.
It is not a question, it is a statement. And it is about detecting
inactive gateways.
Brian proposed to collect ICMP unreachable from the gateway IPs, so he
could get a list of certainly unreachable gateways. This method is
sound, with very improbable false positive results, and could
successfully be used for this goal.
And then all started to talk about RIP and the fact that not all
gateways use it and so on.
As I said: Gateway reachability has nothing to do with the fact that a
certain gateway uses or not RIP, or if RIP passes its firewall or not.
The "ICMP unreachable" pertains only IPIP traffic to the public gateway
IP which will be classified as unreachable by the last router before it,
route which is totally agnostic about the firewall settings of the
(unreachable) target or about its ability to process or not RIP multicasts.
And this holds true as long as no "smart" network manager turns off all
ICMP for some delusional security advantages.
On 24.05.2017 20:29, Michael Fox - N6MEF wrote:
(Please trim inclusions from previous messages)
_______________________________________________
On 24.05.2017 19:47, Michael Fox - N6MEF wrote:
Marius,
I'm not sure I understand your question. But the answer to what I think
you're asking is:
Correct, for the external firewall. But an inner firewall that acts on the
traffic within the tunnel should only accept what it needs and block
everything else.
Michael
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net If the gateway doesn't use RIP, then it may
also not open that port in
its
firewall. So it may either drop the packets silently or return ICMP
unreachables. Right? If so, then the most we can say about this
situation
is that the site is not accepting RIP, not that
something is "probably
wrong". Or am I missing something?
Sorry to ask but what has accepting RIP
to do with the gateway IP?
RIP is encapsulated into IPIP, so no firewall will ever care about that.
And no sane firewall setup will accept RIP on its WAN.
From both the gateway's point of view it's just protocol 4, nothing else.