Date: Tue, 2 Jun 1998 11:16:51 -0400 (EDT) From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-net@FreeBSD.ORG Subject: Re: ipfw & icmp question Message-ID: <199806021516.LAA21224@brain.zeus.leitch.com> In-Reply-To: Bill Fenner's message of "Mon, June 1, 1998 20:35:40 PDT" regarding "Re: ipfw & icmp question " id <199806020335.UAA08380@mango.parc.xerox.com> References: <19980530234807.14632@deepo.prosa.dk> <199806020335.UAA08380@mango.parc.xerox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[ On Mon, June 1, 1998 at 20:35:40 (PDT), Bill Fenner wrote: ] > Subject: Re: ipfw & icmp question > > Most TCP stacks ignore ICMP TCP port unraechable errors. You > need to configure ipfw to send a TCP RST instead. I don't know about "most" TCP stacks.... I know that SunOS-4 has major problems with them too -- the result is a connection timed out for all TCP attempts to the destination after receiving ICMP_UNREACH_PORT. If Digital UNIX 4.0B and FreeBSD 2.2.6 do the same then thats three with the problem against two without! ;-) With 2.2.6 behaving this way it suggests all 4.4BSD based stacks will do likewise unless they've been subsequently fixed. I don't know where that leaves firewall administrators. My guess is they should only return ICMP_UNREACH_PORT for UDP protocols and should always return TCP RST for all TCP protocols, regardless of what the standards might say, since that's what's most likely to work given an arbitrary remote client host. -- Greg A. Woods +1 416 443-1734 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806021516.LAA21224>