From owner-freebsd-security Mon May 28 3: 5:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id BBB8237B42C for ; Mon, 28 May 2001 03:05:11 -0700 (PDT) (envelope-from sheldonh@uunet.co.za) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 154Jtb-0007Bo-00; Mon, 28 May 2001 12:05:07 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id MAA18564; Mon, 28 May 2001 12:05:05 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 18193; Mon May 28 12:03:49 2001 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.22 #1) id 154JsK-000DJ7-00; Mon, 28 May 2001 12:03:48 +0200 To: patl@phoenix.volant.org Cc: freebsd-security@freebsd.org Subject: Re: ipfw: reset -vs- unreach port In-reply-to: Your message of "Mon, 28 May 2001 00:55:45 MST." Date: Mon, 28 May 2001 12:03:48 +0200 Message-ID: <51156.991044228@axl.fw.uunet.co.za> From: Sheldon Hearn Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 28 May 2001 00:55:45 MST, patl@Phoenix.Volant.ORG wrote: > There are a few 'nuisance' TCP services that are normally blocked by > firewalls (e.g., auth [113] and netbios-ns [137]) In the interest > of reducing the delays which would be imposed by simply dropping > those packets, is it better to use 'reset' (send an RST), 'unreach > port' (send a Port Unreachable ICMP message), or 'unreach filter-prohib' > (send a Filter Prohibition ICMP message) ? Yes. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message