[EMAIL PROTECTED] wrote: > > I can't see why we'd have to ignore RSTs in an established state. > > Care to give an example? > > Think a bit why transient ICMP errors are ignored in established state. > > If firewalls will generate RSTs their status becomes equal to ICMP > transient errors. So the present behaviour of ignoring ICMP policy reject+port unreachable during TCP Syn setup is correct? If something gets such an ICMP from my box, that is most definitely intended to mean "nothing served here, move on". Nothing transient about it. The problem is I can set up sophisticated firewall rules easily and I'm confident in them, but doing the same at the app. level is much more difficult, and I have to trust complex app. level code. -- Jamie - To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to [EMAIL PROTECTED]
- Re: ICMP dest-unreach in SYN_... Jamie Lokier
- Re: ICMP dest-unreach in SYN_... kuznet
- Re: ICMP dest-unreach in SYN_... Paul Rusty Russell
- Re: ICMP dest-unreach in SYN_... Dan Hollis
- Re: ICMP dest-unreach in SYN_... Alan Cox
- Re: ICMP dest-unreach in SYN_... Matti Aarnio
- Re: ICMP dest-unreach in SYN_... Taral
- Re: ICMP dest-unreach in SYN_... Tim Fletcher
- Re: ICMP dest-unreach in SYN_... Taral
- Re: ICMP dest-unreach in SYN_... kuznet
- Re: ICMP dest-unreach in SYN_* st... Jamie Lokier
- Re: ICMP dest-unreach in SYN_... Taral
- Re: ICMP dest-unreach in SYN_... Jamie Lokier
- Re: ICMP dest-unreach in SYN_... Taral
- Re: ICMP dest-unreach in SYN_... Jamie Lokier
- Re: ICMP dest-unreach in SYN_* states of T... Taral
- Re: ICMP dest-unreach in SYN_* states ... Jamie Lokier
- Re: ICMP dest-unreach in SYN_* states of T... Paul Rusty Russell
- Re: ICMP dest-unreach in SYN_* states ... Jamie Lokier
- Re: ICMP dest-unreach in SYN_* states of TCP Bernd Eckenfels
- Re: ICMP dest-unreach in SYN_* states of TCP Bernd Eckenfels
