From owner-freebsd-net  Thu Aug 23 18:24: 3 2001
Delivered-To: freebsd-net@freebsd.org
Received: from proxy4.ba.best.com (proxy4.ba.best.com [206.184.139.15])
	by hub.freebsd.org (Postfix) with ESMTP id 5508037B409
	for <freebsd-net@FreeBSD.ORG>; Thu, 23 Aug 2001 18:24:01 -0700 (PDT)
	(envelope-from scott@renfro.org)
Received: from renfro.org (vckbmu@sdn-ar-005casjosP059.dialsprint.net [63.180.20.43])
	by proxy4.ba.best.com (8.9.3/8.9.2/best.out) with ESMTP id SAA10701;
	Thu, 23 Aug 2001 18:23:19 -0700 (PDT)
Received: (from scott@localhost)
	by renfro.org (8.11.4/8.11.4) id f7O1NVT38674;
	Thu, 23 Aug 2001 18:23:31 -0700 (PDT)
	(envelope-from scott)
Date: Thu, 23 Aug 2001 18:23:31 -0700
From: Scott Renfro <scott@renfro.org>
To: Barney Wolff <barney@databus.com>
Cc: freebsd-net@FreeBSD.ORG, Jonathan Lemon <jlemon@flugsvamp.com>,
	Jesper Skriver <jesper@skriver.dk>,
	Bill Fenner <fenner@research.att.com>,
	Cory Scott <cory@crazypenguin.com>
Subject: Re: Proposed change to icmp_may_rst induced ENETRESET
Message-ID: <20010823182331.A38019@bonsai.home.renfro.org>
References: <20010822020504.C24160@bonsai.home.renfro.org> <20010823165326.A24963@tp.databus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010823165326.A24963@tp.databus.com>; from barney@databus.com on Thu, Aug 23, 2001 at 04:53:26PM -0400
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Thu, Aug 23, 2001 at 04:53:26PM -0400, Barney Wolff wrote:
>
> As another heavy nmap user, I'd vote just the other way.  It's useful
> to differentiate between a reset coming back from the destination host
> and an unreachable from a firewall/router-acl.  Ordinary apps probably
> don't care all that much about why a connection could not be
> established, and just report the error to the user.

I suspect that most (good) applications use strerror(3) to map errors
into messages for the user.  Today, users get "Network dropped
connection on reset"; with the patch they'd get "Connection refused".
I think the latter is preferred under POLA, especially when the former
is not a documented response to connect(2).

You have a valid point that icmp_may_rst changes nmap's behavior, even
with the proposed patch.  If you want nmap's historic behavior (admin
prohib ==> filtered), then turning off icmp_may_rst works.  With
icmp_may_rst turned on and the patch commited, you get the other
behavior (admin prohib ==> closed).  Without the patch, nmap spews
errors and would need a FreeBSD-specific change.

regards,
--Scott

-- 
Scott Renfro <scott@renfro.org>                          +1 650 862 4206

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message