> Hello!
Hi!
> > Your point isn't relevant to the firewall. I can *already* send RSTs by
> > simply not binding a socket to the port. All I want is a different way
> > to accomplish this: at the packet firewall layer.
>
> Parse error. Do you talk about host stack or about firewall?
Well the examples Taral and I are talking about are at the host. In the
firewall on that host.
> If you want to send RSTs from final host, please. Nobody may prohibit
> to do it, no matter what part of host IP stack generates them.
Excellent, so a "tcprst" rule instead of "reject" in the host's packet
firewall is ok then?
> > >>>>>> These are hard error conditions, so TCP SHOULD abort
> > >>>>>> the connection.
>
> Now think, why these errors are hard. Did you guess? No?
>
> Because port unreachable was supposed to be generated
> only by final destinations, exactly as RSTs.
Yup, I guess this much thanks.
> When this document was written, nobody could imagine even in nightmare
> that such beasts as firewalls masquerading as final destinations
> will appear. If they will start to generate RSTs in addition, hosts
> will have to protect themselves too.
I don't see how this changes anything. If firewalls masquerading as
final destinations generate RSTs, it's because they _want_ the same
behavior as a final destination sending RSTs!
-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
