Date: Sun, 17 Dec 2000 15:22:00 -0600 From: "Jacques A. Vidrine" <n@nectar.com> To: Jesper Skriver <jesper@skriver.dk> Cc: freebsd-net@FreeBSD.org, Poul-Henning Kamp <phk@critter.freebsd.dk>, Kris Kennaway <kris@FreeBSD.org>, security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001217152200.A63080@hamlet.nectar.com> In-Reply-To: <20001217220852.A20296@skriver.dk>; from jesper@skriver.dk on Sun, Dec 17, 2000 at 10:08:52PM %2B0100 References: <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter> <20001217095914.A61976@spawn.nectar.com> <20001217102613.B61976@spawn.nectar.com> <20001217220852.A20296@skriver.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 17, 2000 at 10:08:52PM +0100, Jesper Skriver wrote: > > (2) These same messages are not handled for connections not in > > SYN-SENT: they ought to be > > Well, yes, but the real problem is when sessions are setup, the reason I > only configured it to affect sessions in SYN-SENT state, was to minimize > the risk for a DoS. This should not be treated any differently than a host/net unreachable message. If filters are (re)loaded while a connection is in progress, then the ICMP message should serve to tear down the connection. -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001217152200.A63080>