> I've found this trick... ComOS apparently has a hole when it
> comes to large ICMP packets.. Filter all ICMP packets to the ethernet
> interface of the PM from both dialups and the ethernet side of things.
> It'll save yourself some administration hassle (and screw up traceroutes -
> but Livingston's already do that to 90% of the installed system base of
> the world anyways).
IMO, this is good advice for any terminal server. It could just be
coincidence, but since I fixed the filters on our internet gateway such
that nobody from outside our netblock can send any IP to our terminal
servers and used ipfwadm on our linux terminal servers to block all icmp
destined for them entirely, uptimes have been way up. I'm at nearly 6
months uptime on 80 and 64 port linux boxes.
Other than traceroute, what business does anyone on the outside world have
talking directly to your terminal servers? I can live with one hop of
*'s, and very few people have complained.
As long as I'm off topic, here's an RFE for PM's. They don't support
reject routes yet, do they? While installing gated on my linux boxes, I
noticed that linux does (and has for some time) supported reject
routes...which basically tell the kernel "unless I have a better route to
this host, drop the packet and send a network unreachable message":
traceroute to 205.229.51.199 (205.229.51.199), 30 hops max, 40 byte packets
1 hoth.fdt.net (205.229.48.7) 1.164 ms 1.025 ms 0.988 ms
2 hoth.fdt.net (205.229.48.7) 1.052 ms !N 1.138 ms !N 1.185 ms !N
No more routing loops or bunches of ICMP redirects for unused dialup IPs.
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/message.
Florida Digital Turnpike |
________Finger jlewis@inorganic5.fdt.net for PGP public key_______