Date: Thu, 29 Feb 1996 09:04:21 -0800 From: Paul Traina <pst@shockwave.com> To: Andras Olah <olah@cs.utwente.nl> Cc: current@freebsd.org Subject: Re: Processing ICMP packets (was: -stable hangs at boot (fwd)) Message-ID: <199602291704.JAA05822@precipice.shockwave.com> In-Reply-To: Your message of "Thu, 29 Feb 1996 11:10:43 %2B0100." <11766.825588643@curie.cs.utwente.nl>
index | next in thread | previous in thread | raw e-mail
From: Andras Olah <olah@cs.utwente.nl>
Subject: Processing ICMP packets (was: -stable hangs at boot (fwd))
On Wed, 28 Feb 1996 11:14:21 PST, Bill Fenner wrote:
> In message <199602262117.PAA15987@brasil.moneng.mei.com>you write:
> >Yes, I can imagine :-) I just want my firewalls to do something mildly
> >more social - like return a HOST_UNREACHABLE
>
> How about "Communication Administratively Prohibited" (code 13, see RFC1812
>>
> section 5.3.9)
I've got two questions related to the handling of ICMP packets:
1. Shouldn't icmp_input() map ICMP type 3, code 13 packets to
PRC_UNREACH* error codes, instead of discarding them?
Yes (!!!) Please fix.
2. Background info: What's the difference between codes 9, 10
(ICMP_UNREACH_{NET,HOST_PROHIB) and 13? Is 13 a code which covers
both 9 and 10, or does it have a special meaning?
It does have special meaning. Theoretically, you SHOULD be able to say
"if I get 9 (or 10) I cannot reach that net (or host), period." However,
many firewalls generate 9 or 10 (which was obsoleted by 13 for just this
reason). 13 says "don't assume anything other than this connection attempt
was refused for administrative reasons."
Thanks,
Andras
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602291704.JAA05822>