From owner-freebsd-net  Tue Jun  2 08:17:39 1998
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA11479
          for freebsd-net-outgoing; Tue, 2 Jun 1998 08:17:39 -0700 (PDT)
          (envelope-from owner-freebsd-net@FreeBSD.ORG)
Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA11458
          for <freebsd-net@FreeBSD.ORG>; Tue, 2 Jun 1998 08:17:23 -0700 (PDT)
          (envelope-from woods@tap.zeus.leitch.com)
Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id LAA01103 for <freebsd-net@FreeBSD.ORG>; Tue, 2 Jun 1998 11:16:47 -0400 (EDT)
Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id LAA15319 for <freebsd-net@FreeBSD.ORG>; Tue, 2 Jun 1998 11:16:51 -0400 (EDT)
Received: (from woods@localhost)
	by brain.zeus.leitch.com (8.8.8/8.8.8) id LAA21224;
	Tue, 2 Jun 1998 11:16:51 -0400 (EDT)
	(envelope-from woods@tap.zeus.leitch.com)
Date: Tue, 2 Jun 1998 11:16:51 -0400 (EDT)
Message-Id: <199806021516.LAA21224@brain.zeus.leitch.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: woods@zeus.leitch.com (Greg A. Woods)
To: freebsd-net@FreeBSD.ORG
Subject: Re: ipfw & icmp question 
In-Reply-To: Bill Fenner's message
	of "Mon, June 1, 1998 20:35:40 PDT"
	regarding "Re: ipfw & icmp question "
	id <199806020335.UAA08380@mango.parc.xerox.com>
References: <19980530234807.14632@deepo.prosa.dk>
	<199806020335.UAA08380@mango.parc.xerox.com>
X-Mailer: VM 6.45 under Emacs 20.2.1
Reply-To: freebsd-net@FreeBSD.ORG
Organization: Planix, Inc.; Toronto, Ontario; Canada
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

[ On Mon, June 1, 1998 at 20:35:40 (PDT), Bill Fenner wrote: ]
> Subject: Re: ipfw & icmp question 
>
> Most TCP stacks ignore ICMP TCP port unraechable errors.  You
> need to configure ipfw to send a TCP RST instead.

I don't know about "most" TCP stacks....

I know that SunOS-4 has major problems with them too -- the result is a
connection timed out for all TCP attempts to the destination after
receiving ICMP_UNREACH_PORT.

If Digital UNIX 4.0B and FreeBSD 2.2.6 do the same then thats three with
the problem against two without!  ;-)  With 2.2.6 behaving this way it
suggests all 4.4BSD based stacks will do likewise unless they've been
subsequently fixed.

I don't know where that leaves firewall administrators.  My guess is
they should only return ICMP_UNREACH_PORT for UDP protocols and should
always return TCP RST for all TCP protocols, regardless of what the
standards might say, since that's what's most likely to work given an
arbitrary remote client host.

-- 
							Greg A. Woods

+1 416 443-1734      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message