[106736] in North American Network Operators' Group
Re: impossible circuit
daemon@ATHENA.MIT.EDU (Jay R. Ashworth)
Mon Aug 11 16:22:39 2008
Date: Mon, 11 Aug 2008 16:22:28 -0400
From: "Jay R. Ashworth" <jra@baylink.com>
To: nanog@nanog.org
In-Reply-To: <48A09E4E.8000002@justinshore.com>
Errors-To: nanog-bounces@nanog.org
On Mon, Aug 11, 2008 at 03:17:18PM -0500, Justin Shore wrote:
> The OS X update I applied was the one that installed a host-based
> firewall. The update automatically turned on the FW and permitted all
> local servers that were configured to run, in my case SSH, with
> everything else being denied. The FW on the OS X box normally wouldn't
> see packets not destined for it until you put a nic in promisc mode such
> as what happens when you run EtherPeek. The OS X box's FW was getting
> hits from traffic denied by it's ACL and was sending TCP RSTs faster
> than hosts on the 'Net could respond. It did this for everything except
> SSH which it permitted (but higher up the IP stack it ignored because
> the IP packet was address to the local box).
>
> This isn't in any way related to the problem at hand but it does
> demonstrate that weird things happen when devices in unusual places
> flood out all ports.
And this explains why in Bellovin's Wily Hacker book, there's an
anecdote about a sniffer machine on which they had to *physically cut
the transmit wire* because they could *not* get the machine to not...
do something. ARP queries?
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Those who cast the vote decide nothing.
Those who count the vote decide everything.
-- (Josef Stalin)
