At 05:18 PM 11/16/98 -0500, Daniel Senie wrote:
Actually, the blocks are mine, not theirs. If you use a traceroute on a system which uses ICMP ECHO packets to do the trace, instead of the older Unix implementations which use random UDP ports, your traceroute will get to my site without trouble.
The traceroute I am running is current as it gets, for the unix world that is. I have found that most sites won't block UDP near as often as they block ICMP and this, I have much more success with this traceroute than say, the tracert program on winblows boxes.
I hadn't thought about the PMTU failure this causes. Not nice at all.
Most people don't think about it. It can cause you problems though. Especially when in most cases, when PMTU can't be determined, it is defaulted to 1500.
The problem with this is I can't do traceroutes out, then, because all the responses from the 10.x.x.x/8 and 172.16.0.0/16 machines get caught in the filters.
Sure you can. Any decent NAT or MASQ system will take care of that for you. Case in point: root> ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:A0:C9:06:7C:82 inet addr:192.168.101.250 Bcast:192.168.101.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5427402 errors:0 dropped:0 overruns:0 TX packets:4912650 errors:0 dropped:0 overruns:0 Interrupt:9 Base address:0xff40 root> route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.101.0 0.0.0.0 255.255.255.0 U 0 0 62 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 19 lo 0.0.0.0 192.168.101.48 0.0.0.0 UG 0 0 412 eth0 root> traceroute mae-east.psi.net traceroute to mae-east.psi.net (192.41.177.245), 30 hops max, 40 byte packets 1 barrister (192.168.101.48) 0.467 ms 0.363 ms 0.346 ms 2 38.1.1.1 (38.1.1.1) 154.795 ms 139.175 ms 139.722 ms 3 38.17.10.1 (38.17.10.1) 139.654 ms 139.077 ms 139.712 ms 4 leaf2.nc.us.psi.net (38.1.46.2) 179.613 ms 179.044 ms 159.642 ms 5 rc1.nc.us.psi.net (38.1.26.1) 299.494 ms 188.930 ms 169.680 ms 6 core.net223.psi.net (38.1.2.6) 209.555 ms 178.857 ms * Note: I am quite amazed to only see ONE "*" in that trace considering the network that box is attached to.
than your own. I Hope nothing happens that would require your PERSONAL attention while you're at some convention, on vacation, etc.
Fortunately I have enough of an operation to have a direct dial-in to my network so that I can get in even if the ISP link is down, but I agree with your assessment.
I think most of us can do that. The difference is that I use the dialin for security to get devices that I can NOT install SSH on. For everything else, it is a backup link. It would be quite costly for me to dial into the box from the Philippines while I'm over there, even if I could find a decent phone line to do so. The satellite link while slower than I would like, works quite well though. I suppose that you could also telnet/ssh to a "real" IP address behind your router and then telnet to the router though.
...and one last point...
- Have someone loan them a clue about why they should NOT use RFC1918 space in the way your isp is doing so.
Agree. Unfortunately, when selecting ISPs, this was not an aspect I expected I'd have to worry about, and so I didn't ask. It certainly goes on my list for the next negotiation, though.
I never asked FNSI either. I guess that considering how many providers actually do this, I was lucky to find one that actually knows better. ------- John Fraizer | __ _ The System Administrator | / / (_)__ __ ____ __ | The choice mailto:John.Fraizer@EnterZone.Net | / /__/ / _ \/ // /\ \/ / | of a GNU http://www.EnterZone.Net/ | /____/_/_//_/\_,_/ /_/\_\ | Generation A 486 is a terrible thing to waste...