From owner-freebsd-current Tue May 6 05:12:45 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id FAA07265 for current-outgoing; Tue, 6 May 1997 05:12:45 -0700 (PDT) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA07246; Tue, 6 May 1997 05:12:39 -0700 (PDT) Message-Id: <199705061212.FAA07246@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA067270655; Tue, 6 May 1997 22:10:55 +1000 From: Darren Reed Subject: Re: divert still broken? To: danny@panda.hilink.com.au (Daniel O'Callaghan) Date: Tue, 6 May 1997 22:10:55 +1000 (EST) Cc: archie@whistle.com, current@FreeBSD.ORG, hackers@FreeBSD.ORG In-Reply-To: from "Daniel O'Callaghan" at May 6, 97 01:04:32 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-current@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In some mail from Daniel O'Callaghan, sie said: > > > > On Mon, 5 May 1997, Archie Cobbs wrote: > > > > > - When a reject rule applies to an incoming TCP packet, send > > > > the appropriate TCP response packet (ie., RST) instead of an > > > > ICMP port unreachable. > > > > > > I think you want to make this user configurable and perhaps on a per-rule > > > basis. > > > > This is only with "reject" -- ie., right now it sends an ICMP unreachable. > > There's still "deny" which silently drops. > > > How about > > ipfw add 1000 reset tcp from any to foo 23 > > So the choices are: > deny : be silent > reject: send ICMP !H > reset : send RST > > Ipfilter allows you to choose to send !H or !N. How could this be done Ipfilter will let you send whichever one you want :) > in ipfw? Is it needed? have we had the discussion about using "permission denied" icmp replies ? :)