[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall - DROP or DENY

I am writing this just to make sure all readers think about these
things and I don't mean to imply the authors in this thread don't know
about what I am about to say.  With my behind thusly covered:

>>>>> "JC" == Juan Cespedes <cespedes@debian.org> writes:

    JC> Not necessarily.  If you drop the packets, the remote will try
    JC> to contact you a few times until a timeout is reached.  


    JC> If the
    JC> remote party sees a TCP RST or a ICMP UNREACH, it will not try
    JC> to contact you again.

TCP RST yes, ICMP unreachable variants should be used with care
though.  See the host requirements RFC.  I quote from RFC 1122 sect.

	A Destination Unreachable message that is received with code
            0 (Net), 1 (Host), or 5 (Bad Source Route) may result from a
            routing transient and MUST therefore be interpreted as only
            a hint, not proof, that the specified destination is
            unreachable [IP:11].

What JC means is, of course, correct as per the same section of this RFC:

	A transport protocol
            that has its own mechanism for notifying the sender that a
            port is unreachable (e.g., TCP, which sends RST segments)
            MUST nevertheless accept an ICMP Port Unreachable for the
            same purpose.

In general playing with ICMP SHOULD always be accompanied with
research of RFC's and MUST NOT be done based on mailing list
recommendations alone.  



To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: