Re: ICMP dest-unreach in SYN_* states of TCP

[Tim Fletcher]

> > How did the packet reach this firewall? Firewall (if it is not
> > embedded to destination host) cannot differ packets lost in the internet
> > of "administaratively obeyed" to it.
> > It is pretty common case in networks of topology different of trivial.
> 
> Real firewalls are on the path from source to destination. If the packet
> matched a REJECT filter rule once, it will do so again if the packet is
> resent. 

Not always, consider a firewall that is partway though boot, and as a
security measure puts a deny all on the external interface until the boot
process is finished, and then finally runs a firewall setup script.

--

      Tim Fletcher                  .~.
                                    /V\       L   I   N   U   X   
   [EMAIL PROTECTED]           // \  >Don't fear the penguin<
 [EMAIL PROTECTED]      /(   )\
                                   ^^-^^

Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum
immane mittam (For non-latiners: "I have a catapult. Give me all the
money, or I will fling an enormous rock at your head.")


-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]