From owner-freebsd-hackers  Thu Aug 22 15:07:53 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id PAA22035
          for hackers-outgoing; Thu, 22 Aug 1996 15:07:53 -0700 (PDT)
Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA22004
          for <hackers@freebsd.org>; Thu, 22 Aug 1996 15:07:46 -0700 (PDT)
Message-Id: <199608222207.PAA22004@freefall.freebsd.org>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA227621645; Fri, 23 Aug 1996 08:07:25 +1000
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: ICMP REJECT and telnet with FreeBSD
To: john@starfire.mn.org
Date: Fri, 23 Aug 1996 08:07:25 +1000 (EST)
Cc: hackers@freebsd.org
In-Reply-To: <199608221354.IAA19336@starfire.mn.org> from "john@starfire.mn.org" at Aug 22, 96 08:54:51 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In some mail from john@starfire.mn.org, sie said:
[...]
> I set up the firewall to "reject" instead of "deny" unauthorized
> TCP setups, and allowed ICMP so that these rejects could be
> communicated.  This works as expected with SCO ODT, SunOS, and
> UnixWare 2.03 in that the reject is immediately detected and reported
> by telnet, but when attempting to connect from an unauthorized
> FreeBSD machine, either 2.1.0-R or 2.1.5-R, telnet takes just as
> long to report the reject as it would the timeout if I had used
> "deny" instead of "reject" (one minute, 14 seconds, and some change).
> 
> Is this a design feature, a desired behavior, or something that
> merits further investigation, either by me or someone else?

Idea is that 4.4BSD type kernels regard ICMP network unreachables as errors,
but temporary errors caused by changing network conditions.  The effect of
this is that it records the error but the error isn't immeadiately fatal.

Darren