Re: ICMP dest-unreach in SYN_* states of TCP

[Jamie Lokier]

Taral wrote:
> On Wed, 14 Jul 1999, Jamie Lokier wrote:
> 
> > Excellent, so a "tcprst" rule instead of "reject" in the host's packet
> > firewall is ok then?
> 
> I don't understand why this is necessary. Firewalls are designed to
> isolate a network from another network. There is only ONE way to a host
> behind a firewall, and that is through that firewall. So "reject" should
> send a RST (or ICMP port unreachable, same difference) on TCP packets.

My understand of Alexey's point is that RST is ok from a host,
but what if you have firewalls on a router?

In that case you might erroneously receive a packet due to routing
transient errors and send a RST -- which would break a TCP connection
that should not be broken -- the sending TCP should be retrying until
the routing transient passes.

I admit I don't know how these transients can happen.

But anyway, this means "tcprst" is appropriate on a host and "reject" on
a router.

-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]