We've been having problems getting out to certain parts of the net for the
last few days, in particular, we can't get to sgi.com which is unusual.
If you are having problems getting to bkbits.net, let me know. We have
a couple of machines at rackspace and I can push repos over there.
traceroute to sgi.com (128.167.58.40), 30 hops max, 38 byte packets
1 bitmover (10.3.9.3) 0.535 ms 0.103 ms 0.100 ms
2 cisco (192.132.92.1) 1.236 ms 1.175 ms 1.228 ms
3 s9-1-1-6-0.ar2.SFO1.gblx.net (64.214.96.229) 3.080 ms 3.205 ms 2.982 ms
4 64.215.195.189 (64.215.195.189) 3.052 ms 3.256 ms 3.114 ms
5 64.211.147.86 (64.211.147.86) 4.592 ms 4.623 ms 4.468 ms
6 so6-0-0-2488M.br2.PAO2.gblx.net (207.136.163.126) 4.586 ms 4.530 ms 4.701 ms
7 p4-0.paix-bi1.bbnplanet.net (4.0.6.81) 4.627 ms 4.467 ms 4.427 ms
8 p6-0.snjpca1-br1.bbnplanet.net (4.24.7.61) 5.179 ms 5.678 ms 5.215 ms
9 p1-0.sjccolo-dbe1.bbnplanet.net (4.24.6.253) 5.431 ms 5.214 ms 5.235 ms
10 vlan40.sjccolo-isw03-rc1.bbnplanet.net (128.11.200.91) 5.326 ms 5.396 ms 5.464 ms
11 128.11.16.169 (128.11.16.169) 5.581 ms 5.470 ms 5.654 ms
12 *
[email protected] (Larry McVoy) wrote on 28.11.02 in <[email protected]>:
> We've been having problems getting out to certain parts of the net for the
> last few days, in particular, we can't get to sgi.com which is unusual.
> If you are having problems getting to bkbits.net, let me know. We have
> a couple of machines at rackspace and I can push repos over there.
>
> traceroute to sgi.com (128.167.58.40), 30 hops max, 38 byte packets
> 1 bitmover (10.3.9.3) 0.535 ms 0.103 ms 0.100 ms
> 2 cisco (192.132.92.1) 1.236 ms 1.175 ms 1.228 ms
> 3 s9-1-1-6-0.ar2.SFO1.gblx.net (64.214.96.229) 3.080 ms 3.205 ms 2.982
> ms 4 64.215.195.189 (64.215.195.189) 3.052 ms 3.256 ms 3.114 ms
> 5 64.211.147.86 (64.211.147.86) 4.592 ms 4.623 ms 4.468 ms
> 6 so6-0-0-2488M.br2.PAO2.gblx.net (207.136.163.126) 4.586 ms 4.530 ms
> 4.701 ms 7 p4-0.paix-bi1.bbnplanet.net (4.0.6.81) 4.627 ms 4.467 ms
> 4.427 ms 8 p6-0.snjpca1-br1.bbnplanet.net (4.24.7.61) 5.179 ms 5.678 ms
> 5.215 ms 9 p1-0.sjccolo-dbe1.bbnplanet.net (4.24.6.253) 5.431 ms 5.214
> ms 5.235 ms 10 vlan40.sjccolo-isw03-rc1.bbnplanet.net (128.11.200.91)
> 5.326 ms 5.396 ms 5.464 ms 11 128.11.16.169 (128.11.16.169) 5.581 ms
> 5.470 ms 5.654 ms 12 *
>From two or three traceroutes, that problem seems to be at the SGI end. I
can't get to them either (nothing after the same IP as for you, at hop
#17, some place at Genuity), but you are practically next door.
MfG Kai
On Thu, Nov 28, 2002 at 06:53:00PM +0200, Kai Henningsen wrote:
> >From two or three traceroutes, that problem seems to be at the SGI end. I
> can't get to them either (nothing after the same IP as for you, at hop
> #17, some place at Genuity), but you are practically next door.
Lesson #1 of firewalling: drop everything.
Lesson #2 of firewalling: only accept what you absolutely have to.
Try pointing a web browser at sgi.com port 80. I _bet_ you get a
response. The site is reachable, they just block UDP (and probably
a lot of other stuff.)
traceroute uses UDP, so if a site drops UDP (rather than blocking it)
it will appear as a black hole.
--
Russell King ([email protected]) The developer of ARM Linux
http://www.arm.linux.org.uk/personal/aboutme.html
In article <[email protected]>,
Russell King <[email protected]> wrote:
>On Thu, Nov 28, 2002 at 06:53:00PM +0200, Kai Henningsen wrote:
>> >From two or three traceroutes, that problem seems to be at the SGI end. I
>> can't get to them either (nothing after the same IP as for you, at hop
>> #17, some place at Genuity), but you are practically next door.
>
>Lesson #1 of firewalling: drop everything.
>Lesson #2 of firewalling: only accept what you absolutely have to.
Lesson#3 of firewalling: due to #1 and #2 most admins block
ICMP_UNREACH_NEEDFRAG as well (ICMP == ping == bad) breaking
path MTUd. http://alive.znep.com/~marcs/mtu/
Note that IPv6 has no fragmentation and pMTUd is mandatory.
Oh joy.
Mike.
--
They all laughed when I said I wanted to build a joke-telling machine.
Well, I showed them! Nobody's laughing *now*! -- [email protected]
[email protected] (Miquel van Smoorenburg) wrote on 28.11.02 in <[email protected]>:
> In article <[email protected]>,
> Russell King <[email protected]> wrote:
> >On Thu, Nov 28, 2002 at 06:53:00PM +0200, Kai Henningsen wrote:
> >> >From two or three traceroutes, that problem seems to be at the SGI end.
> >> >I
> >> can't get to them either (nothing after the same IP as for you, at hop
> >> #17, some place at Genuity), but you are practically next door.
> >
> >Lesson #1 of firewalling: drop everything.
> >Lesson #2 of firewalling: only accept what you absolutely have to.
>
> Lesson#3 of firewalling: due to #1 and #2 most admins block
> ICMP_UNREACH_NEEDFRAG as well (ICMP == ping == bad) breaking
> path MTUd. http://alive.znep.com/~marcs/mtu/
Lesson #4 of firewalling: a friendly firewall will (unless there are
*specific* reasons to do otherwise) allow for ICMP_UNREACH_NEEDFRAG (and
some similar things), ping, and traceroute. That's how I usually set them
up. (ping == good)
MfG Kai