From owner-freebsd-current  Thu Feb 29 09:05:10 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id JAA22881
          for current-outgoing; Thu, 29 Feb 1996 09:05:10 -0800 (PST)
Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id JAA22872
          for <current@freebsd.org>; Thu, 29 Feb 1996 09:05:07 -0800 (PST)
Received: from localhost.shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.4/8.7.3) with SMTP id JAA05822; Thu, 29 Feb 1996 09:04:22 -0800 (PST)
Message-Id: <199602291704.JAA05822@precipice.shockwave.com>
To: Andras Olah <olah@cs.utwente.nl>
cc: current@freebsd.org
Subject: Re: Processing ICMP packets (was: -stable hangs at boot (fwd)) 
In-reply-to: Your message of "Thu, 29 Feb 1996 11:10:43 +0100."
             <11766.825588643@curie.cs.utwente.nl> 
Date: Thu, 29 Feb 1996 09:04:21 -0800
From: Paul Traina <pst@shockwave.com>
Sender: owner-current@freebsd.org
Precedence: bulk


  From: Andras Olah <olah@cs.utwente.nl>
  Subject: Processing ICMP packets (was: -stable hangs at boot (fwd)) 
  On Wed, 28 Feb 1996 11:14:21 PST, Bill Fenner wrote:
  > In message <199602262117.PAA15987@brasil.moneng.mei.com>you write:
  > >Yes, I can imagine  :-)  I just want my firewalls to do something mildly
  > >more social - like return a HOST_UNREACHABLE
  > 
  > How about "Communication Administratively Prohibited" (code 13, see RFC1812
>> 
  > section 5.3.9)
  
  I've got two questions related to the handling of ICMP packets:
  
  1. Shouldn't icmp_input() map ICMP type 3, code 13 packets to
  PRC_UNREACH* error codes, instead of discarding them?

Yes (!!!)  Please fix.
  
  2. Background info: What's the difference between codes 9, 10
  (ICMP_UNREACH_{NET,HOST_PROHIB) and 13?  Is 13 a code which covers
  both 9 and 10, or does it have a special meaning?

It does have special meaning.  Theoretically, you SHOULD be able to say
"if I get 9 (or 10) I cannot reach that net (or host), period."  However,
many firewalls generate 9 or 10 (which was obsoleted by 13 for just this
reason).  13 says "don't assume anything other than this connection attempt
was refused for administrative reasons."
  
  Thanks,
    Andras