In some mail from Tony Li, sie said:
> Many firewalls/firewall software now support sending back those nice
> ICMP messages saying that the detination host was unreachable. While
> this is nice for those in and outside, is there any structuring beyond
> the simple "host unreachable" ?
>
> Actually, router requirements, RFC 1812, defines a new ICMP
> Unreachable code: Communication Administratively Prohibited, which is
> the preferred mechanism for filtering routers. [Coming soon to a
> cisco near you. ;-) ]
Hmmm, a newbie ICMP.
[...]
> I've managed to get a packet
> filter designed and supported which sends out FAKE TCP RSTs instead of
> ICMP unreachables - if told to. How many RFCs does this break ? :)
>
> None that I'm aware of. However, what do you do about UDP?
Still use ICMP...afterall, that's what gets used between hosts with no
intervening firewall..
> My justification is that if I block certain TCP SYN packets and send back
> an RST in reply, not only do I stop the connection and send back a nack,
> but in using TCP's RST, I can usually effect a much quicker nack response
> than with ICMPs - and much safer too!
>
> A host can immediately process the new ICMP unreachable code as a NAK,
> as it is presumed to have a long half-life.
Except, being new, which of the currently deployed TCP/IP stacks will
recognise it for what it is ? (Including commercial products)
darren
References:
|
|
