Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 6 May 1997 22:10:55 +1000 (EST)
From:      Darren Reed <avalon@coombs.anu.edu.au>
To:        danny@panda.hilink.com.au (Daniel O'Callaghan)
Cc:        archie@whistle.com, current@FreeBSD.ORG, hackers@FreeBSD.ORG
Subject:   Re: divert still broken?
Message-ID:  <199705061212.FAA07246@hub.freebsd.org>
In-Reply-To: <Pine.BSF.3.91.970506130122.4479h-100000@panda.hilink.com.au> from "Daniel O'Callaghan" at May 6, 97 01:04:32 pm

next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Daniel O'Callaghan, sie said:
> 
> 
> 
> On Mon, 5 May 1997, Archie Cobbs wrote:
> 
> > > >  - When a reject rule applies to an incoming TCP packet, send
> > > >    the appropriate TCP response packet (ie., RST) instead of an
> > > >    ICMP port unreachable.
> > > 
> > > I think you want to make this user configurable and perhaps on a per-rule
> > > basis.
> > 
> > This is only with "reject" -- ie., right now it sends an ICMP unreachable.
> > There's still "deny" which silently drops.
>  
> 
> How about 
> 
> ipfw add 1000 reset tcp from any to foo 23
> 
> So the choices are:
>   deny  :  be silent
>   reject:  send ICMP !H
>   reset :  send RST
> 
> Ipfilter allows you to choose to send !H or !N.  How could this be done 

Ipfilter will let you send whichever one you want :)

> in ipfw?  Is it needed?

have we had the discussion about using "permission denied" icmp replies ? :)




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705061212.FAA07246>