Date: Fri, 23 Aug 1996 08:07:25 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: john@starfire.mn.org Cc: hackers@freebsd.org Subject: Re: ICMP REJECT and telnet with FreeBSD Message-ID: <199608222207.PAA22004@freefall.freebsd.org> In-Reply-To: <199608221354.IAA19336@starfire.mn.org> from "john@starfire.mn.org" at Aug 22, 96 08:54:51 am
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from john@starfire.mn.org, sie said: [...] > I set up the firewall to "reject" instead of "deny" unauthorized > TCP setups, and allowed ICMP so that these rejects could be > communicated. This works as expected with SCO ODT, SunOS, and > UnixWare 2.03 in that the reject is immediately detected and reported > by telnet, but when attempting to connect from an unauthorized > FreeBSD machine, either 2.1.0-R or 2.1.5-R, telnet takes just as > long to report the reject as it would the timeout if I had used > "deny" instead of "reject" (one minute, 14 seconds, and some change). > > Is this a design feature, a desired behavior, or something that > merits further investigation, either by me or someone else? Idea is that 4.4BSD type kernels regard ICMP network unreachables as errors, but temporary errors caused by changing network conditions. The effect of this is that it records the error but the error isn't immeadiately fatal. Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608222207.PAA22004>