Date: Wed, 21 Jul 2004 20:54:09 +0300 From: Petri Helenius <pete@he.iki.fi> To: James <james@towardex.com> Cc: James <haesu@towardex.com> Subject: Re: IPFW2 versrcreach update Message-ID: <40FEADC1.8070400@he.iki.fi> In-Reply-To: <20040721114455.GA47249@scylla.towardex.com> References: <20040720021237.GA74977@scylla.towardex.com> <40FCD21B.40CB83ED@freebsd.org> <20040721020418.GA53214@scylla.towardex.com> <40FE4367.AA7B0A7F@freebsd.org> <20040721114455.GA47249@scylla.towardex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
James wrote: > >uRPF should not emit an ICMP when it drops a -reject route. Even with >ip unreachables, Cisco won't emit ICMP when uRPF is killing a packet. The source >that triggered uRPF drop condition cannot be trusted as it may have spoofed the >packet. > > > Where would the ICMP go anyway because you either donīt have a route to where you would point the packet to or the route points to null. Pete
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40FEADC1.8070400>