Great Circle Associates Firewalls
(October 1992) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Filters and interfaces.
From: smb @ ulysses . att . com
Date: Mon, 05 Oct 92 16:28:33 EDT
To: bede @ linus . mitre . org
Cc: Firewalls @ GreatCircle . COM 
	 A cursory look at RFC 1009 indicates there is no *requirement* that
	 gateways return an ICMP x Unreachable in the case at hand.  In any
	 case, both the network and the host are reachable --- just not for
	 all applications.  There is no ICMP message defined specifically for
	 this case, although there is always the catch-all Parameter Problem
	 message.

1009 is fairly out of date; I should check the drafts directories for
a new router requirements document.

Anyway, the right code is Destination Unreachable, code 10.  That value
is defined by RFC1122 for ``administratively prohibited''.  Unfortunately,
4.3bsd, and likely many of its descendants, will ignore any ICMP message
with a code value they consider invalid.  Thus, Cisco routers send back
``host unreachable''.

		--Steve Bellovin
Indexed By Date Previous: RE: Filters and interfaces.
From: bede @ linus . mitre . org
Next: Re: Filters and interfaces.
From: Brent Chapman <brent @ GreatCircle . COM>
Indexed By Thread Previous: Re: Filters and interfaces.
From: rhott%galaxy @ relay . nswc . navy . mil (Bob Hott - K31)
Next: Re: Filters and interfaces.
From: Brent Chapman <brent @ GreatCircle . COM>
Google
 
Search Internet Search www.greatcircle.com