From owner-freebsd-hackers Thu Aug 22 10:57:43 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA03929 for hackers-outgoing; Thu, 22 Aug 1996 10:57:43 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA03914 for ; Thu, 22 Aug 1996 10:57:38 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.13/1.53) id TAA20865; Thu, 22 Aug 1996 19:57:23 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199608221757.TAA20865@gvr.win.tue.nl> Subject: Re: ICMP REJECT and telnet with FreeBSD To: john@starfire.mn.org Date: Thu, 22 Aug 1996 19:57:22 +0200 (MET DST) Cc: hackers@FreeBSD.ORG In-Reply-To: <199608221354.IAA19336@starfire.mn.org> from "john@starfire.mn.org" at "Aug 22, 96 08:54:51 am" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk john@starfire.mn.org wrote: > > I set up the firewall to "reject" instead of "deny" unauthorized > TCP setups, and allowed ICMP so that these rejects could be > communicated. This works as expected with SCO ODT, SunOS, and > UnixWare 2.03 in that the reject is immediately detected and reported > by telnet, but when attempting to connect from an unauthorized > FreeBSD machine, either 2.1.0-R or 2.1.5-R, telnet takes just as > long to report the reject as it would the timeout if I had used > "deny" instead of "reject" (one minute, 14 seconds, and some change). > > Is this a design feature, a desired behavior, or something that > merits further investigation, either by me or someone else? > It is by design: it would break TCP if the TCP layer would listen to ICMP host unreachables. Indeed: this maybe a temporary failure and the routing might be working again 10 seconds later. In stead, use ipfilter and send back a TCP reset when such a packet comes in. -Guido