Hey! I like that!! I could call that a firewall! I'd change it though.
I'd actually filter out ICMP to the router itself or to a certain C or two
which house critical machines and termial servers. This will 1)
Externally make us invisible past our fictional border router that I'm
trying to convince my boss to get, and 2) Stop denial of service attacks
on key machines and stuff.
One problem, customers tracing OUT of us will see the second hop before
they hit the internet. That will cheese them off some. If customers are
as predictable as we all think they are, they will cancel once they see
how shitty we are because we have a core hop, and a border hop before we
even hit the internet.
Puke..
-- Regards,Jason A. Lixfeld jlixfeld@idirect.ca System Administrator [L5] jlixfeld@torontointernetxchange.net
--------------------------------------------------------------------- TUCOWS Interactive Ltd. o/a | "A Different Kind of Internet Company" Internet Direct Canada Inc. | "FREE BANDWIDTH for Toronto Area IAPs" 5415 Dundas Street West | http://www.torontointernetxchange.net Suite 301, Toronto Ontario | (416) 236-5806 ext 18 (T) M9B-1B5 CANADA | (416) 236-5804 (F) ---------------------------------------------------------------------
:What might work instead is to simply put in an access list to block the :ICMP TTL EXCEEDED messages from coming back into your net. That will :quite effectively break traceroute. If customers complain, tell them :it's being done for security reasons and you're just trying to protect :your customers. :) : :Obviously we all know that the number of router hops is not the issue. :This is what you should really be telling your boss. Don't let customer :service and marketing get in the way of good network design. Well, not :for the wrong reasons, anyway. : :/cvk :
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:15 EDT