It is not a question, it is a statement. And it is about detecting inactive gateways.
Brian proposed to collect ICMP unreachable from the gateway IPs, so he could get a list of certainly unreachable gateways. This method is sound, with very improbable false positive results, and could successfully be used for this goal.
And then all started to talk about RIP and the fact that not all gateways use it and so on.
As I said: Gateway reachability has nothing to do with the fact that a certain gateway uses or not RIP, or if RIP passes its firewall or not.
The "ICMP unreachable" pertains only IPIP traffic to the public gateway IP which will be classified as unreachable by the last router before it, route which is totally agnostic about the firewall settings of the (unreachable) target or about its ability to process or not RIP multicasts.
And this holds true as long as no "smart" network manager turns off all ICMP for some delusional security advantages.
On 24.05.2017 20:29, Michael Fox - N6MEF wrote:
(Please trim inclusions from previous messages) _______________________________________________
On 24.05.2017 19:47, Michael Fox - N6MEF wrote:
If the gateway doesn't use RIP, then it may also not open that port in its firewall. So it may either drop the packets silently or return ICMP unreachables. Right? If so, then the most we can say about this
situation
is that the site is not accepting RIP, not that something is "probably wrong". Or am I missing something?
Sorry to ask but what has accepting RIP to do with the gateway IP? RIP is encapsulated into IPIP, so no firewall will ever care about that. And no sane firewall setup will accept RIP on its WAN. From both the gateway's point of view it's just protocol 4, nothing else.
Marius,
I'm not sure I understand your question. But the answer to what I think you're asking is: Correct, for the external firewall. But an inner firewall that acts on the traffic within the tunnel should only accept what it needs and block everything else.
Michael
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net