Date: Thu, 22 Aug 1996 19:57:22 +0200 (MET DST) From: guido@gvr.win.tue.nl (Guido van Rooij) To: john@starfire.mn.org Cc: hackers@FreeBSD.ORG Subject: Re: ICMP REJECT and telnet with FreeBSD Message-ID: <199608221757.TAA20865@gvr.win.tue.nl> In-Reply-To: <199608221354.IAA19336@starfire.mn.org> from "john@starfire.mn.org" at "Aug 22, 96 08:54:51 am"
next in thread | previous in thread | raw e-mail | index | archive | help
john@starfire.mn.org wrote: > > I set up the firewall to "reject" instead of "deny" unauthorized > TCP setups, and allowed ICMP so that these rejects could be > communicated. This works as expected with SCO ODT, SunOS, and > UnixWare 2.03 in that the reject is immediately detected and reported > by telnet, but when attempting to connect from an unauthorized > FreeBSD machine, either 2.1.0-R or 2.1.5-R, telnet takes just as > long to report the reject as it would the timeout if I had used > "deny" instead of "reject" (one minute, 14 seconds, and some change). > > Is this a design feature, a desired behavior, or something that > merits further investigation, either by me or someone else? > It is by design: it would break TCP if the TCP layer would listen to ICMP host unreachables. Indeed: this maybe a temporary failure and the routing might be working again 10 seconds later. In stead, use ipfilter and send back a TCP reset when such a packet comes in. -Guido
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608221757.TAA20865>