From owner-freebsd-hackers Sun Jul 6 16:49:08 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA11900 for hackers-outgoing; Sun, 6 Jul 1997 16:49:08 -0700 (PDT) Received: from shell.firehouse.net (brian@shell.firehouse.net [209.42.203.45]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA11893; Sun, 6 Jul 1997 16:48:51 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id TAA13606; Sun, 6 Jul 1997 19:48:42 -0400 (EDT) Date: Sun, 6 Jul 1997 19:48:41 -0400 (EDT) From: Brian Mitchell To: nsayer@quack.kfu.com cc: Bill Fenner , joerg@FreeBSD.ORG, jkh@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: kern/3446 In-Reply-To: <199707062239.PAA26655@quack.kfu.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 6 Jul 1997 nsayer@quack.kfu.com wrote: > Bill Fenner writes: > > > Synopsis: IPFIREWALL reject returns port unreachable, not host > > > State-Changed-From-To: open-closed > > State-Changed-By: fenner > > State-Changed-When: Sun Jul 6 12:42:34 PDT 1997 > > State-Changed-Why: > > Turns out this is yet another duplicate, for kern/3452. > > I missed that one because it's closed. > > I don't know how so many duplicates got made. I believe I sent this > in a total of twice. > > I must protest in the strongest possible terms the closure without > action of this PR. > > The language given in the closure of 3452 suggests that the PR > should be dismissed because FreeBSD is acting correctly > according to the RFCs. That is not the issue here. The issue > here is that behavior that is correct according to the RFC > breaks what is perhaps the most populous unix implementation > that the world has ever known. I feel that that is worth at > _least_ of a sysctl variable (as exists for TCP extensions, > for exmaple), if not an outright substitution of behavior that > actually works for behavior that is theoretically correct. > > Do we live and work in the real world or not?! A sysctl is probably a good idea, although personally I dont use host or port unreachables - ICMP_UNREACH_FILTER_PROHIB seems to me to be _much_ more appropriate, but sysctl would let the firewall admin decide at boot time which he/she prefers. Brian Mitchell brian@firehouse.net "BSD code sucks. Of course, everything else sucks far more." - Theo de Raadt