From owner-freebsd-hackers Mon May 5 21:16:09 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id VAA13201 for hackers-outgoing; Mon, 5 May 1997 21:16:09 -0700 (PDT) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA13181; Mon, 5 May 1997 21:16:05 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id VAA19323; Mon, 5 May 1997 21:15:27 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma019313; Mon May 5 21:14:57 1997 Received: (from archie@localhost) by bubba.whistle.com (8.7.5/8.6.12) id VAA11171; Mon, 5 May 1997 21:14:57 -0700 (PDT) From: Archie Cobbs Message-Id: <199705060414.VAA11171@bubba.whistle.com> Subject: Re: divert still broken? In-Reply-To: from Daniel O'Callaghan at "May 6, 97 01:04:32 pm" To: danny@panda.hilink.com.au (Daniel O'Callaghan) Date: Mon, 5 May 1997 21:14:57 -0700 (PDT) Cc: current@FreeBSD.ORG, hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > > > - When a reject rule applies to an incoming TCP packet, send > > > > the appropriate TCP response packet (ie., RST) instead of an > > > > ICMP port unreachable. > > > > > > I think you want to make this user configurable and perhaps on a per-rule > > > basis. > > > > This is only with "reject" -- ie., right now it sends an ICMP unreachable. > > There's still "deny" which silently drops. > > How about > > ipfw add 1000 reset tcp from any to foo 23 > > So the choices are: > deny : be silent > reject: send ICMP !H > reset : send RST Sounds OK with me.. any body else care to comment? -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com