On Mon, 25 Aug 2003 17:44:32 -0400, Derrick 'dman' Hudson <[EMAIL PROTECTED]> wrote in message <[EMAIL PROTECTED]>:
> On Mon, Aug 25, 2003 at 02:10:12PM -0700, Steve Lamb wrote: > | On Mon, 25 Aug 2003 13:51:37 -0500 "P. Kallakuri" > | <[EMAIL PROTECTED]> wrote: > > | > i cannot find what process is keeping them. i know that i disabled > | > ICMP requests on my gateway, > | > | Ungh. Why? Why disable ICMP. I never figured that one out. > | Anything goes wrong with that line and you'll need to remember to > | turn it back on so as not to waste the tech's time. "Uh, I can't > | ping your machine, are you sure it is plugged in?" "Oh, wait, hold > | on, I turned off that diagnostic tool." > > Disabling ICMP causes worse problems than the scenario Steve > described. Suppose you are trying to connect to a remote system, but > the server is "partially" down. (for example you are trying to use > HTTP but their web server isn't running) Instead of an immediate > "Connection Refused" message, you'll sit for around 2 minutes before > you get a "Connection Timed Out" message. Why? Well, Connection > Refused is indicated by an ICMP packet but you never pass those on to > the application. The application then sees nothing until the timeout > timer expires. ICMP is extremely useful and is, in fact, required for > correct operation of TCP and IP. Do not block ICMP. ..no rule witout exeption: these 2 minutes _are_ useful in tarpits, to help slow vira propagation: http://labrea.sourceforge.net/ and http://netfilter.org/documentation/pomlist/pom-extra.html#ipt_TARPIT -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
