From owner-freebsd-security  Mon May 28  3:12:41 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
	by hub.freebsd.org (Postfix) with SMTP id 8980337B422
	for <freebsd-security@freebsd.org>; Mon, 28 May 2001 03:12:34 -0700 (PDT)
	(envelope-from roam@orbitel.bg)
Received: (qmail 675 invoked by uid 1000); 28 May 2001 10:11:36 -0000
Date: Mon, 28 May 2001 13:11:36 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: patl@phoenix.volant.org
Cc: Sheldon Hearn <sheldonh@uunet.co.za>,
	freebsd-security@freebsd.org
Subject: Re: ipfw: reset -vs- unreach port
Message-ID: <20010528131136.A588@ringworld.oblivion.bg>
Mail-Followup-To: patl@phoenix.volant.org,
	Sheldon Hearn <sheldonh@uunet.co.za>, freebsd-security@freebsd.org
References: <ML-3.4.991036545.6838.patl@asimov.phoenix.volant.org> <51156.991044228@axl.fw.uunet.co.za>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <51156.991044228@axl.fw.uunet.co.za>; from sheldonh@uunet.co.za on Mon, May 28, 2001 at 12:03:48PM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, May 28, 2001 at 12:03:48PM +0200, Sheldon Hearn wrote:
> 
> 
> On Mon, 28 May 2001 00:55:45 MST, patl@Phoenix.Volant.ORG wrote:
> 
> > There are a few 'nuisance' TCP services that are normally blocked by
> > firewalls (e.g., auth [113] and netbios-ns [137])  In the interest
> > of reducing the delays which would be imposed by simply dropping
> > those packets, is it better to use 'reset' (send an RST), 'unreach
> > port' (send a Port Unreachable ICMP message), or 'unreach filter-prohib'
> > (send a Filter Prohibition ICMP message) ?
> 
> Yes.

Uh.. I think the original poster already considered using one of these
three better than just dropping the packet on the floor, and his question
was more like which of the three was better :)

IMHO, a simple RST would be best - a classic, old-fashioned 'connection
refused, no one here' reply, almost no indication that it is actually
a firewall blocking the attempt, no fear of overly-paranoid firewalls
dropping stray ICMP packets (and causing the same delay due to no response).
Yes, I know that no one should block *these* types of ICMP, but the sad
fact is, some ISP's do.

G'luck,
Peter

-- 
This sentence every third, but it still comprehensible.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message