On Mon, Aug 11, 2008 at 03:17:18PM -0500, Justin Shore wrote:
The OS X update I applied was the one that installed a host-based firewall. The update automatically turned on the FW and permitted all local servers that were configured to run, in my case SSH, with everything else being denied. The FW on the OS X box normally wouldn't see packets not destined for it until you put a nic in promisc mode such as what happens when you run EtherPeek. The OS X box's FW was getting hits from traffic denied by it's ACL and was sending TCP RSTs faster than hosts on the 'Net could respond. It did this for everything except SSH which it permitted (but higher up the IP stack it ignored because the IP packet was address to the local box).
This isn't in any way related to the problem at hand but it does demonstrate that weird things happen when devices in unusual places flood out all ports.
And this explains why in Bellovin's Wily Hacker book, there's an anecdote about a sniffer machine on which they had to *physically cut the transmit wire* because they could *not* get the machine to not... do something. ARP queries? Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin)