From owner-freebsd-hackers  Mon May  5 20:02:36 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id UAA09594
          for hackers-outgoing; Mon, 5 May 1997 20:02:36 -0700 (PDT)
Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA09574;
          Mon, 5 May 1997 20:02:20 -0700 (PDT)
Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.7.3) id NAA22224; Tue, 6 May 1997 13:04:33 +1000 (EST)
Date: Tue, 6 May 1997 13:04:32 +1000 (EST)
From: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
To: Archie Cobbs <archie@whistle.com>
cc: current@FreeBSD.ORG, hackers@FreeBSD.ORG
Subject: Re: divert still broken?
In-Reply-To: <199705060046.RAA10264@bubba.whistle.com>
Message-ID: <Pine.BSF.3.91.970506130122.4479h-100000@panda.hilink.com.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk



On Mon, 5 May 1997, Archie Cobbs wrote:

> > >  - When a reject rule applies to an incoming TCP packet, send
> > >    the appropriate TCP response packet (ie., RST) instead of an
> > >    ICMP port unreachable.
> > 
> > I think you want to make this user configurable and perhaps on a per-rule
> > basis.
> 
> This is only with "reject" -- ie., right now it sends an ICMP unreachable.
> There's still "deny" which silently drops.
 

How about 

ipfw add 1000 reset tcp from any to foo 23

So the choices are:
  deny  :  be silent
  reject:  send ICMP !H
  reset :  send RST

Ipfilter allows you to choose to send !H or !N.  How could this be done 
in ipfw?  Is it needed?

Danny