Re: Firewall - DROP or DENY

[Bulent Murtezaoglu <bm@acm.org>]

I am writing this just to make sure all readers think about these
things and I don't mean to imply the authors in this thread don't know
about what I am about to say.  With my behind thusly covered:

>>>>> "JC" == Juan Cespedes <cespedes@debian.org> writes:

[...]
    JC> Not necessarily.  If you drop the packets, the remote will try
    JC> to contact you a few times until a timeout is reached.  

Correct.

    JC> If the
    JC> remote party sees a TCP RST or a ICMP UNREACH, it will not try
    JC> to contact you again.

TCP RST yes, ICMP unreachable variants should be used with care
though.  See the host requirements RFC.  I quote from RFC 1122 sect.
3.2.2.1

----
	A Destination Unreachable message that is received with code
            0 (Net), 1 (Host), or 5 (Bad Source Route) may result from a
            routing transient and MUST therefore be interpreted as only
            a hint, not proof, that the specified destination is
            unreachable [IP:11].
----

What JC means is, of course, correct as per the same section of this RFC:


----
	A transport protocol
            that has its own mechanism for notifying the sender that a
            port is unreachable (e.g., TCP, which sends RST segments)
            MUST nevertheless accept an ICMP Port Unreachable for the
            same purpose.
----

In general playing with ICMP SHOULD always be accompanied with
research of RFC's and MUST NOT be done based on mailing list
recommendations alone.  

cheers,

BM


-- 
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org