Date: Thu, 29 Feb 1996 13:12:30 -0700 From: Nate Williams <nate@sri.MT.net> To: Paul Richards <p.richards@elsevier.co.uk> Cc: current@FreeBSD.ORG Subject: Re: Processing ICMP packets (was: -stable hangs at boot (fwd)) Message-ID: <199602292012.NAA12375@rocky.sri.MT.net> In-Reply-To: <199602291859.SAA17390@tees> References: <199602291859.SAA17390@tees>
next in thread | previous in thread | raw e-mail | index | archive | help
> > It does have special meaning. Theoretically, you SHOULD be able to say > > "if I get 9 (or 10) I cannot reach that net (or host), period." However, > > many firewalls generate 9 or 10 (which was obsoleted by 13 for just this > > reason). 13 says "don't assume anything other than this connection attempt > > was refused for administrative reasons." > > Trouble is, if you're a paranoid firewall maintainer, like most are > (and should be), then you don't want to tell the world that you're a > firewall and you're denying access, you want to say, there's no such > address as the one you're trying so stop wasting your time. I disagree. This is security through obscurity, and any hacker worth their salt is going to see right through this. If they trying to access a host behind a firewall, they already know it exists, so if you think telling them otherwise is going to matter then you're simply fooling yourself. Nate p.s. Paul, I'm still waiting for a review of my handbook entries. :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602292012.NAA12375>