Re: ICMP dest-unreach in SYN_* states of TCP

[kuznet]

Hello!

> Your point isn't relevant to the firewall.  I can *already* send RSTs by
> simply not binding a socket to the port.  All I want is a different way
> to accomplish this: at the packet firewall layer.

Parse error. Do you talk about host stack or about firewall?

If you want to send RSTs from final host, please. Nobody may prohibit
to do it, no matter what part of host IP stack generates them.

>   >>>>>>         These are hard error conditions, so TCP SHOULD abort
>   >>>>>>         the connection.

Now think, why these errors are hard. Did you guess? No?

Because port unreachable was supposed to be generated
only by final destinations, exactly as RSTs.

When this document was written, nobody could imagine even in nightmare
that such beasts as firewalls masquerading as final destinations
will appear. If they will start to generate RSTs in addition, hosts
will have to protect themselves too.

Alexey
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]