Date: Thu, 29 Feb 1996 09:04:21 -0800 From: Paul Traina <pst@shockwave.com> To: Andras Olah <olah@cs.utwente.nl> Cc: current@freebsd.org Subject: Re: Processing ICMP packets (was: -stable hangs at boot (fwd)) Message-ID: <199602291704.JAA05822@precipice.shockwave.com> In-Reply-To: Your message of "Thu, 29 Feb 1996 11:10:43 %2B0100." <11766.825588643@curie.cs.utwente.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
From: Andras Olah <olah@cs.utwente.nl> Subject: Processing ICMP packets (was: -stable hangs at boot (fwd)) On Wed, 28 Feb 1996 11:14:21 PST, Bill Fenner wrote: > In message <199602262117.PAA15987@brasil.moneng.mei.com>you write: > >Yes, I can imagine :-) I just want my firewalls to do something mildly > >more social - like return a HOST_UNREACHABLE > > How about "Communication Administratively Prohibited" (code 13, see RFC1812 >> > section 5.3.9) I've got two questions related to the handling of ICMP packets: 1. Shouldn't icmp_input() map ICMP type 3, code 13 packets to PRC_UNREACH* error codes, instead of discarding them? Yes (!!!) Please fix. 2. Background info: What's the difference between codes 9, 10 (ICMP_UNREACH_{NET,HOST_PROHIB) and 13? Is 13 a code which covers both 9 and 10, or does it have a special meaning? It does have special meaning. Theoretically, you SHOULD be able to say "if I get 9 (or 10) I cannot reach that net (or host), period." However, many firewalls generate 9 or 10 (which was obsoleted by 13 for just this reason). 13 says "don't assume anything other than this connection attempt was refused for administrative reasons." Thanks, Andras
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602291704.JAA05822>