zlacker

[parent] [thread] 3 comments
1. bjt123+(OP)[view] [source] 2026-01-12 12:43:42
SSH is TCP though and the outside world can initiate a handshake, the point being that wireguard silently discards unauthenticated traffic - there's no way they can know the port is open for listening.
replies(1): >>eqvino+i03
2. eqvino+i03[view] [source] 2026-01-13 10:24:35
>>bjt123+(OP)
Uh, you know you can scan UDP ports just fine, right? Hosts reply with an ICMP destination unreachable / port unreachable (3/3 in IPv4, 1/4 in IPv6) if the port is closed. Discarding packets won't send that ICMP error.

It's slow to scan due to ICMP ratelimiting, but you can parallelize.

(Sure, you can disable / firewall drop that ICMP error… but then you can do the same thing with TCP RSTs.)

replies(1): >>apstls+Ew5
◧◩
3. apstls+Ew5[view] [source] [discussion] 2026-01-13 22:03:04
>>eqvino+i03
That's why you discard ICMP errors.
replies(1): >>eqvino+qt6
◧◩◪
4. eqvino+qt6[view] [source] [discussion] 2026-01-14 05:09:16
>>apstls+Ew5
If anything, that's why you discard ICMP port unreachable, which I assume you meant.

If you're blanket dropping all ICMP errors, you're breaking PMTUD. There's a special place reserved in hell for that.

(And if you're firewalling your ICMP, why aren't you firewalling TCP?)

[go to top]