ICMP unreachables
From: some josher (no@email.address)Date: 06/04/02
- Next message: bargepole: "Re: getting DHCP Lease through Winroute Pro"
- Previous message: Walter Roberson: "Re: VPN without Firewall?!"
- Next in thread: Ted U: "Re: ICMP unreachables"
- Reply: Ted U: "Re: ICMP unreachables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: some josher <no@email.address> Date: Tue, 04 Jun 2002 03:32:37 GMT
The following lines are taken from /usr/src/sys/netinet/ip_icmp.h from
the OpenBSD 3.0 sources to clarify my
questions.
#define ICMP_UNREACH 3 /* dest unreachable, codes: */
#define ICMP_UNREACH_PORT 3 /* bad port */
#define ICMP_UNREACH_FILTER_PROHIB 13 /* prohibited access */
When writing firewall rules for my OpenBSD box I noticed that deny rules
which are written to return an
ICMP_UNREACH send an ICMP_UNREACH_PORT by default.
eg. block return-icmp in log quick proto udp from any to any
When should the ICMP_UNREACH_FILTER_PROHIB code be used? By it's name it
seems to be a logical code to send back
to denied connection attempts.
I've been told by a friend to send an ICMP_UNREACH to denied TCP
connection attempts instead of sending a TCP RST.
Is this a good idea? Why?
And one last question, when is it better to reply to attempted
connections with an ICMP_UNREACH or TCP RST rather
than just drop them silently?
cheers,
josh
- Next message: bargepole: "Re: getting DHCP Lease through Winroute Pro"
- Previous message: Walter Roberson: "Re: VPN without Firewall?!"
- Next in thread: Ted U: "Re: ICMP unreachables"
- Reply: Ted U: "Re: ICMP unreachables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
