Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 5 May 1997 21:14:57 -0700 (PDT)
From:      Archie Cobbs <archie@whistle.com>
To:        danny@panda.hilink.com.au (Daniel O'Callaghan)
Cc:        current@FreeBSD.ORG, hackers@FreeBSD.ORG
Subject:   Re: divert still broken?
Message-ID:  <199705060414.VAA11171@bubba.whistle.com>
In-Reply-To: <Pine.BSF.3.91.970506130122.4479h-100000@panda.hilink.com.au> from Daniel O'Callaghan at "May 6, 97 01:04:32 pm"

next in thread | previous in thread | raw e-mail | index | archive | help

> > > >  - When a reject rule applies to an incoming TCP packet, send
> > > >    the appropriate TCP response packet (ie., RST) instead of an
> > > >    ICMP port unreachable.
> > > 
> > > I think you want to make this user configurable and perhaps on a per-rule
> > > basis.
> > 
> > This is only with "reject" -- ie., right now it sends an ICMP unreachable.
> > There's still "deny" which silently drops.
> 
> How about 
> 
> ipfw add 1000 reset tcp from any to foo 23
> 
> So the choices are:
>   deny  :  be silent
>   reject:  send ICMP !H
>   reset :  send RST

Sounds OK with me.. any body else care to comment?

-Archie

___________________________________________________________________________
Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705060414.VAA11171>