Date: Thu, 29 Feb 1996 10:57:55 -0700 From: Warner Losh <imp@village.org> To: Paul Traina <pst@shockwave.com> Cc: Andras Olah <olah@cs.utwente.nl>, current@freebsd.org Subject: Re: Processing ICMP packets (was: -stable hangs at boot (fwd)) Message-ID: <199602291757.KAA03050@rover.village.org> In-Reply-To: Your message of Thu, 29 Feb 1996 09:04:21 PST
next in thread | raw e-mail | index | archive | help
: It does have special meaning. Theoretically, you SHOULD be able to say : "if I get 9 (or 10) I cannot reach that net (or host), period." However, : many firewalls generate 9 or 10 (which was obsoleted by 13 for just this : reason). 13 says "don't assume anything other than this connection attempt : was refused for administrative reasons." Just so long as you don't wind up triggering the old 4.2 TCP bug. Namely, when a port is unreachible, then *ALL* connections to that host are discarded. It is safer to silently discard packets in a packet filter than to send back ICMP messages since it won't trigger these bugs and will be treateed as if it was lost and retransmitted or timed out. If people feel strongly that they want it, then it should be an option that can be turned off since we have to deal with said 4.2 TCP implementations from time to time and an accidental connection could cause us great grief. If someone has the old TCP code from then, and can assure me that this won't be a problem because it doesn't understand type 13 packets, then never mind. Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602291757.KAA03050>