Date: Fri, 01 Aug 2003 08:15:41 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no> Cc: freebsd-ipfw@freebsd.org Subject: Re: Suggestion regarding a new option for IPFW2 Message-ID: <3F2A841D.7050104@tenebras.com> In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F07DEFE@exchange.wanglobal.net> References: <0AF1BBDF1218F14E9B4CCE414744E70F07DEFE@exchange.wanglobal.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Sten Daniel Sørsdal wrote: > I have a humble suggestion to an IPFW2 option. > > The option to send icmp error messages/tcp resets with src being > the original destination of the offending packet. > > I realize after looking at the src's that this might require a > separate icmp_error() - please correct me if i'm wrong! > > The intent is to "disguise" the source of the error message for > forwarding firewalls protecting servers. This feature already exists. natd already does this. It does even better -- it correctly rewrites the *included* header (the one from the offending packet). That being said, it's certainly correct for an intermediate router (for example, a firewall) to issue an ICMP unreachable net-prohib, etc. or to issue a TCP reset, without rewriting. This works fine -- several mailing lists I subscribe to attempt to connect to auth/tcp when I post. My firewall issues a reset to these connection attempts, and it gives up and cheerfully accepts my message.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F2A841D.7050104>