Taral wrote:
> > But generally: linux will send fake RSTs only via my corpse.
> > If firewalls will start to use RST instead of ICMP, we have to
> > ignore RST in established state. Is it good? The question is rethoric.
>
> Sorry to disappoint you, but I thought the firewalls sent RST if you
> specified 'reject' on a TCP packet...
Not unless the kernel's changed in the last few months it doesn't.
A quick peek at ip_input.c:
if (fwres == FW_REJECT) {
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
goto drop;
}
enjoy,
-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
- Re: ICMP dest-unreach in SYN_... Taral
- Re: ICMP dest-unreach in SYN_... Tim Fletcher
- Re: ICMP dest-unreach in SYN_... Taral
- Re: ICMP dest-unreach in SYN_... kuznet
- Re: ICMP dest-unreach in SYN_* st... Jamie Lokier
- Re: ICMP dest-unreach in SYN_... Taral
- Re: ICMP dest-unreach in SYN_... Jamie Lokier
- Re: ICMP dest-unreach in SYN_... Taral
- Re: ICMP dest-unreach in SYN_... Jamie Lokier
- Re: ICMP dest-unreach in SYN_* states of T... Taral
- Re: ICMP dest-unreach in SYN_* states ... Jamie Lokier
- Re: ICMP dest-unreach in SYN_* states of T... Paul Rusty Russell
- Re: ICMP dest-unreach in SYN_* states ... Jamie Lokier
- Re: ICMP dest-unreach in SYN_* states of TCP Bernd Eckenfels
- Re: ICMP dest-unreach in SYN_* states of TCP Bernd Eckenfels
