Firewalls: Should packets just be dropped...

Firewalls
(March 1993)

Indexed By Thread: [Previous] [Next]

Subject:	Should packets just be dropped...
From:	mischler @ Cubic . COM (Dave Mischler)
Date:	Tue, 2 Mar 93 16:48:24 -0500
To:	FireWalls @ GreatCircle . COM

It seems that most (all?) existing packet filtering implementations
simply drop packets when they should not be passed.  Wouldn't it be
better to send an ICMP Destination Unreachable type 9 "Communication
with destination network administratively prohibited" (this message is
defined by RFC 1122).

I can see a few implementation details such as not sending this
message if the denied packet is a broadcast or ICMP message.

Would there be serious problems with TCP/IP implementations based
on earlier RFCs?

Dave Mischler
mischler @
 cubic .
 com

Follow-Ups:

Should packets just be dropped...
From: louis @ andataco . com
Re: Should packets just be dropped...
From: Tim Guarnieri <timg @ mv . us . adobe . com>

Indexed By Date	Previous:	RE: SecurID & ARA Appletalk From: Leland K. Neely <lkn @ llnl . gov>
Indexed By Date	Next:	Re: Should packets just be dropped... From: jim @ tadpole . com (Jim Thompson)
Indexed By Thread	Previous:	RE: SecurID & ARA Appletalk From: Leland K. Neely <lkn @ llnl . gov>
Indexed By Thread	Next:	Re: Should packets just be dropped... From: Tim Guarnieri <timg @ mv . us . adobe . com>