Re: tcp blackhole and ident

• Previous message: Eric F Crist: "Re: Make Syntax"
• Maybe in reply to: J.D. Bronson: "tcp blackhole and ident"
• Next in thread: Matthew Seaman: "Re: tcp blackhole and ident"
• Reply: Matthew Seaman: "Re: tcp blackhole and ident"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sat, 31 Jan 2004 07:46:39 -0600
To: Matthew Seaman <m.seaman@infracaninophile.co.uk>

At 07:39 AM 1/31/2004, Matthew Seaman wrote:
>On Sat, Jan 31, 2004 at 07:32:36AM -0600, J.D. Bronson wrote:
> > I have a question. I setup the following in sysctl.conf:
> >
> > net.inet.tcp.blackhole=2
> > net.inet.udp.blackhole=1
> >
> > ..Well this works, but now I have a new issue.
> > I run sendmail and as such, need to allow TCP 113 into this machine
> > and yet get CONNECTION REFUSED. - I dont want to run IDENT, but
> > need to still get the CONNECTION REFUSED...
>
>Run ipfw(8) or a similar firewall and set up a rule that sends an ICMP
>reject whenever it detects an incoming connection on port 113 as part
>of your firewall configuration. Eg. something like:
>
> 01600 reset tcp from any to me dst-port 113 setup
>
> Cheers,
>
> Matthew

Thanks...but I have quite a robust Cisco firewall in place ahead of the
freebsd machines...so I dont -need- to run ipfw...Hmmm...

Actually since the Cisco is dropping any packets already, I wonder if
'blackhole' is simply a stupid idea in the first place...

-- 
J.D. Bronson - "LoneBandit"
Aurora Health Care // Information Services // Milwaukee, WI USA
Office: 414.978.8282 // Email: jd@aurora.org // Pager: 414.314.8282
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

• Previous message: Eric F Crist: "Re: Make Syntax"
• Maybe in reply to: J.D. Bronson: "tcp blackhole and ident"
• Next in thread: Matthew Seaman: "Re: tcp blackhole and ident"
• Reply: Matthew Seaman: "Re: tcp blackhole and ident"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Strange PPPoe problem ... The new service uses PPPoe - not a problem, or so I thought - I ... have PPPoe on my firewall. ... And if I do PPPoe on the provided D-Link router, ... like icmp 3/4 packets are being dropped somewhere. ... (Debian-User) Re: network problems 7.0-p3: sendto: Operation not permitted ... This usually indicates firewall rules on the local machine, ... This indicates a high number of ICMP packets being received. ... 1 into my cable modem and nother into a linksys 16port vpn router. ... 01:47:12.196000 arp who-has 181.131.216.67.181.static.hargray.net tell ... (freebsd-stable) Re: ICMP timestamp request is allowed from arbitrary hosts ... There is no registry entry that specifically blocks individual ICMP types on ... enable the Windows Firewall on the XP machines and configure the rules to do ... Point is Windows XP has the ... (microsoft.public.windowsxp.security_admin) Re: Am I being hacked? ... > incoming TCP packets are 'Allowed' on those ports. ... The term "stealth" is misleading. ... The online services that claim to test your firewall can be misleading ... but block normal ICMP echo requests. ... (comp.security.firewalls) iptables troubles ... I am trying to get a firewall running, but I am no networking expert. ... # ICMP Host-unreachable deny ... # We dont want ICMP Dead Errors ... (Debian-User)