Date: Mon, 28 May 2001 13:11:36 +0300 From: Peter Pentchev <roam@orbitel.bg> To: patl@phoenix.volant.org Cc: Sheldon Hearn <sheldonh@uunet.co.za>, freebsd-security@freebsd.org Subject: Re: ipfw: reset -vs- unreach port Message-ID: <20010528131136.A588@ringworld.oblivion.bg> In-Reply-To: <51156.991044228@axl.fw.uunet.co.za>; from sheldonh@uunet.co.za on Mon, May 28, 2001 at 12:03:48PM %2B0200 References: <ML-3.4.991036545.6838.patl@asimov.phoenix.volant.org> <51156.991044228@axl.fw.uunet.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 28, 2001 at 12:03:48PM +0200, Sheldon Hearn wrote: > > > On Mon, 28 May 2001 00:55:45 MST, patl@Phoenix.Volant.ORG wrote: > > > There are a few 'nuisance' TCP services that are normally blocked by > > firewalls (e.g., auth [113] and netbios-ns [137]) In the interest > > of reducing the delays which would be imposed by simply dropping > > those packets, is it better to use 'reset' (send an RST), 'unreach > > port' (send a Port Unreachable ICMP message), or 'unreach filter-prohib' > > (send a Filter Prohibition ICMP message) ? > > Yes. Uh.. I think the original poster already considered using one of these three better than just dropping the packet on the floor, and his question was more like which of the three was better :) IMHO, a simple RST would be best - a classic, old-fashioned 'connection refused, no one here' reply, almost no indication that it is actually a firewall blocking the attempt, no fear of overly-paranoid firewalls dropping stray ICMP packets (and causing the same delay due to no response). Yes, I know that no one should block *these* types of ICMP, but the sad fact is, some ISP's do. G'luck, Peter -- This sentence every third, but it still comprehensible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010528131136.A588>