Jay R. Ashworth
jra at baylink.com
Mon Aug 11 15:22:28 CDT 2008
On Mon, Aug 11, 2008 at 03:17:18PM -0500, Justin Shore wrote:
> The OS X update I applied was the one that installed a host-based
> firewall. The update automatically turned on the FW and permitted all
> local servers that were configured to run, in my case SSH, with
> everything else being denied. The FW on the OS X box normally wouldn't
> see packets not destined for it until you put a nic in promisc mode such
> as what happens when you run EtherPeek. The OS X box's FW was getting
> hits from traffic denied by it's ACL and was sending TCP RSTs faster
> than hosts on the 'Net could respond. It did this for everything except
> SSH which it permitted (but higher up the IP stack it ignored because
> the IP packet was address to the local box).
> This isn't in any way related to the problem at hand but it does
> demonstrate that weird things happen when devices in unusual places
> flood out all ports.
And this explains why in Bellovin's Wily Hacker book, there's an
anecdote about a sniffer machine on which they had to *physically cut
the transmit wire* because they could *not* get the machine to not...
do something. ARP queries?
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Those who cast the vote decide nothing.
Those who count the vote decide everything.
-- (Josef Stalin)
More information about the NANOG