Exodus / Clue problems

Actually, the blocks are mine, not theirs. If you use a traceroute on a
system which uses ICMP ECHO packets to do the trace, instead of the
older Unix implementations which use random UDP ports, your traceroute
will get to my site without trouble.

The traceroute I am running is current as it gets, for the unix world that
is. I have found that most sites won't block UDP near as often as they
block ICMP and this, I have much more success with this traceroute than
say, the tracert program on winblows boxes.

I hadn't thought about the PMTU failure this causes. Not nice at all.

Most people don't think about it. It can cause you problems though.
Especially when in most cases, when PMTU can't be determined, it is
defaulted to 1500.

The problem with this is I can't do traceroutes out, then, because all
the responses from the 10.x.x.x/8 and machines get caught
in the filters.

Sure you can. Any decent NAT or MASQ system will take care of that for
you. Case in point:

ifconfig eth0

eth0 Link encap:Ethernet HWaddr 00:A0:C9:06:7C:82
          inet addr: Bcast: Mask:
          RX packets:5427402 errors:0 dropped:0 overruns:0
          TX packets:4912650 errors:0 dropped:0 overruns:0
          Interrupt:9 Base address:0xff40

route -n

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface U 0 0 62 eth0 U 0 0 19 lo UG 0 0 412 eth0

traceroute mae-east.psi.net

traceroute to mae-east.psi.net (, 30 hops max, 40 byte packets
1 barrister ( 0.467 ms 0.363 ms 0.346 ms
2 ( 154.795 ms 139.175 ms 139.722 ms
3 ( 139.654 ms 139.077 ms 139.712 ms
4 leaf2.nc.us.psi.net ( 179.613 ms 179.044 ms 159.642 ms
5 rc1.nc.us.psi.net ( 299.494 ms 188.930 ms 169.680 ms
6 core.net223.psi.net ( 209.555 ms 178.857 ms *

Note: I am quite amazed to only see ONE "*" in that trace considering the
network that box is attached to.

than your own. I Hope nothing happens that would require your PERSONAL
attention while you're at some convention, on vacation, etc.

Fortunately I have enough of an operation to have a direct dial-in to my
network so that I can get in even if the ISP link is down, but I agree
with your assessment.

I think most of us can do that. The difference is that I use the dialin
for security to get devices that I can NOT install SSH on. For everything
else, it is a backup link. It would be quite costly for me to dial into
the box from the Philippines while I'm over there, even if I could find a
decent phone line to do so. The satellite link while slower than I would
like, works quite well though. I suppose that you could also telnet/ssh to
a "real" IP address behind your router and then telnet to the router though.

...and one last point...

- Have someone loan them a clue about why they should NOT use RFC1918 space
in the way your isp is doing so.

Agree. Unfortunately, when selecting ISPs, this was not an aspect I
expected I'd have to worry about, and so I didn't ask. It certainly goes
on my list for the next negotiation, though.

I never asked FNSI either. I guess that considering how many providers
actually do this, I was lucky to find one that actually knows better.