Date: Sun, 6 Jul 1997 19:48:41 -0400 (EDT) From: Brian Mitchell <brian@firehouse.net> To: nsayer@quack.kfu.com Cc: Bill Fenner <fenner@FreeBSD.ORG>, joerg@FreeBSD.ORG, jkh@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: kern/3446 Message-ID: <Pine.BSI.3.95.970706194635.13598A-100000@shell.firehouse.net> In-Reply-To: <199707062239.PAA26655@quack.kfu.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 6 Jul 1997 nsayer@quack.kfu.com wrote: > Bill Fenner writes: > > > Synopsis: IPFIREWALL reject returns port unreachable, not host > > > State-Changed-From-To: open-closed > > State-Changed-By: fenner > > State-Changed-When: Sun Jul 6 12:42:34 PDT 1997 > > State-Changed-Why: > > Turns out this is yet another duplicate, for kern/3452. > > I missed that one because it's closed. > > I don't know how so many duplicates got made. I believe I sent this > in a total of twice. > > I must protest in the strongest possible terms the closure without > action of this PR. > > The language given in the closure of 3452 suggests that the PR > should be dismissed because FreeBSD is acting correctly > according to the RFCs. That is not the issue here. The issue > here is that behavior that is correct according to the RFC > breaks what is perhaps the most populous unix implementation > that the world has ever known. I feel that that is worth at > _least_ of a sysctl variable (as exists for TCP extensions, > for exmaple), if not an outright substitution of behavior that > actually works for behavior that is theoretically correct. > > Do we live and work in the real world or not?! A sysctl is probably a good idea, although personally I dont use host or port unreachables - ICMP_UNREACH_FILTER_PROHIB seems to me to be _much_ more appropriate, but sysctl would let the firewall admin decide at boot time which he/she prefers. Brian Mitchell brian@firehouse.net "BSD code sucks. Of course, everything else sucks far more." - Theo de Raadt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.95.970706194635.13598A-100000>