Date: Tue, 17 Aug 1999 09:14:31 +0200 From: Geoff Rehmet <geoffr@is.co.za> To: "'Archie Cobbs'" <archie@whistle.com> Cc: imp@village.org, brian@CSUA.Berkeley.EDU, current@FreeBSD.ORG Subject: RE: Dropping connections without RST Message-ID: <E3453EC6C52ED3118E7E0090275CD47CFFAFA9@isjhbex.is.co.za>
next in thread | raw e-mail | index | archive | help
> > Geoff Rehmet writes: > > > : Not that easily.. how are you going to make ipfw > dynamically know > > > : which ports have listeners and which don't? > > > > > > By filtering all RST packets? > > > > My view was that this is much simpler than filtering packets - > > never generate the packet. My guess is that it creates lower > > overheads. In some instances, I don't want to look at every > > packet (which in effect happens with a packet filter). > > Plus, packets with RST in them are used for other purposes besides > rejecting new incoming connections.. True, my implementation is specific that I only omit generating a RST when the icoming segment is a SYN. All other instances where you would generate a RST are left alone, and carry on behaving as before - otherwise you might break TCP behaviour. Geoff. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E3453EC6C52ED3118E7E0090275CD47CFFAFA9>