Great Circle Associates Firewalls
(March 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Should packets just be dropped...
From: Tim Guarnieri <timg @ mv . us . adobe . com>
Date: Tue, 02 Mar 93 16:24:04 -0800
To: mischler @ cubic . com (Dave Mischler)
Cc: FireWalls @ GreatCircle . COM
In-reply-to: Your message of "Tue, 02 Mar 93 16:48:24 EST." <9303022148 . AA03923 @ norman . li . cubic . com>

>>    It seems that most (all?) existing packet filtering implementations
>>    simply drop packets when they should not be passed.  Wouldn't it be
>>    better to send an ICMP Destination Unreachable type 9 "Communication
>>    with destination network administratively prohibited" (this message is
>>    defined by RFC 1122).
  
If you haven't already, you should check out Jeff Mogul's screend code
(its available via anonymous ftp from gatekeeper.dec.com).  It also
comes with Ultrix 4.2 (and above).  So, if you have an Ultrix machine
nearby, man screend will be helpful.

It logs the packet header when packets are rejected.  Also, there are
switches you can give it to log packet headers on accepted connections 
as well, but that could get voluminous as it would log every packet 
header it saw during the life of the connection.

The daemon (screend) compiles easily enough, but you need to make some
minor kernel mods to whatever OS you are running (if not Ultrix) for
things to work.  It's all documented in the screend.tar.Z file on
gatekeeper.

------
Tim Guarnieri					timg @
 mv .
 us .
 adobe .
 com
Adobe Systems Incorporated, Mountain View, CA	adobe!timg




References:
Indexed By Date Previous: Re: Should packets just be dropped...
From: jim @ tadpole . com (Jim Thompson)
Next: tcpr ftp bug fix release 1.1.3
From: "G. Paul Ziemba" <paul @ alantec . com>
Indexed By Thread Previous: Should packets just be dropped...
From: mischler @ Cubic . COM (Dave Mischler)
Next: Should packets just be dropped...
From: louis @ andataco . com

Google
 
Search Internet Search www.greatcircle.com