From owner-freebsd-net  Sun Dec 17 13:22: 4 2000
From owner-freebsd-net@FreeBSD.ORG  Sun Dec 17 13:22:02 2000
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from gw.nectar.com (gw.nectar.com [208.42.49.153])
	by hub.freebsd.org (Postfix) with ESMTP
	id BC8C137B400; Sun, 17 Dec 2000 13:22:01 -0800 (PST)
Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102])
	by gw.nectar.com (Postfix) with ESMTP
	id 25718193E1; Sun, 17 Dec 2000 15:22:01 -0600 (CST)
Received: (from nectar@localhost)
	by hamlet.nectar.com (8.11.1/8.9.3) id eBHLM1q63092;
	Sun, 17 Dec 2000 15:22:01 -0600 (CST)
	(envelope-from nectar@spawn.nectar.com)
Date: Sun, 17 Dec 2000 15:22:00 -0600
From: "Jacques A. Vidrine" <n@nectar.com>
To: Jesper Skriver <jesper@skriver.dk>
Cc: freebsd-net@FreeBSD.org,
	Poul-Henning Kamp <phk@critter.freebsd.dk>,
	Kris Kennaway <kris@FreeBSD.org>, security-officer@FreeBSD.org
Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h
Message-ID: <20001217152200.A63080@hamlet.nectar.com>
Mail-Followup-To: "Jacques A. Vidrine" <n@nectar.com>,
	Jesper Skriver <jesper@skriver.dk>, freebsd-net@FreeBSD.org,
	Poul-Henning Kamp <phk@critter.freebsd.dk>,
	Kris Kennaway <kris@FreeBSD.org>, security-officer@FreeBSD.org
References: <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter> <20001217095914.A61976@spawn.nectar.com> <20001217102613.B61976@spawn.nectar.com> <20001217220852.A20296@skriver.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20001217220852.A20296@skriver.dk>; from jesper@skriver.dk on Sun, Dec 17, 2000 at 10:08:52PM +0100
X-Url: http://www.nectar.com/
Sender: nectar@nectar.com
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, Dec 17, 2000 at 10:08:52PM +0100, Jesper Skriver wrote:
> >    (2) These same messages are not handled for connections not in
> >        SYN-SENT: they ought to be
> 
> Well, yes, but the real problem is when sessions are setup, the reason I
> only configured it to affect sessions in SYN-SENT state, was to minimize
> the risk for a DoS.

This should not be treated any differently than a host/net unreachable
message.  If filters are (re)loaded while a connection is in progress,
then the ICMP message should serve to tear down the connection.

-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message