Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 6 Jul 1997 19:48:41 -0400 (EDT)
From:      Brian Mitchell <brian@firehouse.net>
To:        nsayer@quack.kfu.com
Cc:        Bill Fenner <fenner@FreeBSD.ORG>, joerg@FreeBSD.ORG, jkh@FreeBSD.ORG, hackers@FreeBSD.ORG
Subject:   Re: kern/3446
Message-ID:  <Pine.BSI.3.95.970706194635.13598A-100000@shell.firehouse.net>
In-Reply-To: <199707062239.PAA26655@quack.kfu.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, 6 Jul 1997 nsayer@quack.kfu.com wrote:

> Bill Fenner writes:
> 
> > Synopsis: IPFIREWALL reject returns port unreachable, not host
> 
> > State-Changed-From-To: open-closed
> > State-Changed-By: fenner
> > State-Changed-When: Sun Jul 6 12:42:34 PDT 1997
> > State-Changed-Why: 
> > Turns out this is yet another duplicate, for kern/3452.
> > I missed that one because it's closed.
> 
> I don't know how so many duplicates got made. I believe I sent this
> in a total of twice.
> 
> I must protest in the strongest possible terms the closure without
> action of this PR.
> 
> The language given in the closure of 3452 suggests that the PR
> should be dismissed because FreeBSD is acting correctly
> according to the RFCs. That is not the issue here. The issue
> here is that behavior that is correct according to the RFC
> breaks what is perhaps the most populous unix implementation
> that the world has ever known. I feel that that is worth at
> _least_ of a sysctl variable (as exists for TCP extensions,
> for exmaple), if not an outright substitution of behavior that
> actually works for behavior that is theoretically correct.
> 
> Do we live and work in the real world or not?!

A sysctl is probably a good idea, although personally I dont use host or
port unreachables - ICMP_UNREACH_FILTER_PROHIB seems to me to be _much_
more appropriate, but sysctl would let the firewall admin decide at boot
time which he/she prefers.

Brian Mitchell                           brian@firehouse.net
"BSD code sucks. Of course, everything else sucks far more."
- Theo de Raadt

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.95.970706194635.13598A-100000>