From owner-freebsd-current Thu Feb 29 12:11:12 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA03958 for current-outgoing; Thu, 29 Feb 1996 12:11:12 -0800 (PST) Received: from rocky.sri.MT.net (rocky.sri.MT.net [204.182.243.10]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id MAA03953 for ; Thu, 29 Feb 1996 12:11:09 -0800 (PST) Received: (from nate@localhost) by rocky.sri.MT.net (8.6.12/8.6.12) id NAA12375; Thu, 29 Feb 1996 13:12:30 -0700 Date: Thu, 29 Feb 1996 13:12:30 -0700 From: Nate Williams Message-Id: <199602292012.NAA12375@rocky.sri.MT.net> To: Paul Richards Cc: current@FreeBSD.ORG Subject: Re: Processing ICMP packets (was: -stable hangs at boot (fwd)) In-Reply-To: <199602291859.SAA17390@tees> References: <199602291859.SAA17390@tees> Sender: owner-current@FreeBSD.ORG Precedence: bulk > > It does have special meaning. Theoretically, you SHOULD be able to say > > "if I get 9 (or 10) I cannot reach that net (or host), period." However, > > many firewalls generate 9 or 10 (which was obsoleted by 13 for just this > > reason). 13 says "don't assume anything other than this connection attempt > > was refused for administrative reasons." > > Trouble is, if you're a paranoid firewall maintainer, like most are > (and should be), then you don't want to tell the world that you're a > firewall and you're denying access, you want to say, there's no such > address as the one you're trying so stop wasting your time. I disagree. This is security through obscurity, and any hacker worth their salt is going to see right through this. If they trying to access a host behind a firewall, they already know it exists, so if you think telling them otherwise is going to matter then you're simply fooling yourself. Nate p.s. Paul, I'm still waiting for a review of my handbook entries. :)