Great Circle Associates Firewalls
(March 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Should packets just be dropped...
From: mischler @ Cubic . COM (Dave Mischler)
Date: Tue, 2 Mar 93 16:48:24 -0500
To: FireWalls @ GreatCircle . COM

It seems that most (all?) existing packet filtering implementations
simply drop packets when they should not be passed.  Wouldn't it be
better to send an ICMP Destination Unreachable type 9 "Communication
with destination network administratively prohibited" (this message is
defined by RFC 1122).

I can see a few implementation details such as not sending this
message if the denied packet is a broadcast or ICMP message.

Would there be serious problems with TCP/IP implementations based
on earlier RFCs?

Dave Mischler
mischler @
 cubic .
 com



Follow-Ups:
Indexed By Date Previous: RE: SecurID & ARA Appletalk
From: Leland K. Neely <lkn @ llnl . gov>
Next: Re: Should packets just be dropped...
From: jim @ tadpole . com (Jim Thompson)
Indexed By Thread Previous: RE: SecurID & ARA Appletalk
From: Leland K. Neely <lkn @ llnl . gov>
Next: Re: Should packets just be dropped...
From: Tim Guarnieri <timg @ mv . us . adobe . com>

Google
 
Search Internet Search www.greatcircle.com