Re: Firewall - DROP or DENY
I am writing this just to make sure all readers think about these
things and I don't mean to imply the authors in this thread don't know
about what I am about to say. With my behind thusly covered:
>>>>> "JC" == Juan Cespedes <cespedes@debian.org> writes:
[...]
JC> Not necessarily. If you drop the packets, the remote will try
JC> to contact you a few times until a timeout is reached.
Correct.
JC> If the
JC> remote party sees a TCP RST or a ICMP UNREACH, it will not try
JC> to contact you again.
TCP RST yes, ICMP unreachable variants should be used with care
though. See the host requirements RFC. I quote from RFC 1122 sect.
3.2.2.1
----
A Destination Unreachable message that is received with code
0 (Net), 1 (Host), or 5 (Bad Source Route) may result from a
routing transient and MUST therefore be interpreted as only
a hint, not proof, that the specified destination is
unreachable [IP:11].
----
What JC means is, of course, correct as per the same section of this RFC:
----
A transport protocol
that has its own mechanism for notifying the sender that a
port is unreachable (e.g., TCP, which sends RST segments)
MUST nevertheless accept an ICMP Port Unreachable for the
same purpose.
----
In general playing with ICMP SHOULD always be accompanied with
research of RFC's and MUST NOT be done based on mailing list
recommendations alone.
cheers,
BM
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: