Re: ICMP dest-unreach in SYN_* states of TCP

Thu, 15 Jul 1999 12:01:38 -0700 

[EMAIL PROTECTED] wrote:
> Hello!
> 
> > I don't want to simply prohibit a connection: I want the other end's
> > attempt to abort immediately.
> 
> Hmm... stop, it is aborted by ICMP with the same success.

Success yes, but timing totally different.

With ICMP it takes 75 seconds to abort, with RST it takes 0 seconds.
I don't want to just "prohibit access": I want the other end to take
appropriate action _as if_ I have no daemon running.

"So if I have my firewall rules to reject TCP on port 113 (auth/ident),
 our Digital Unix smtp server spends a long time retrying with the same
 SYN packet.

 The net result is that sending mail takes ages, because the remote smtp
 server won't accept mail until the connection to my port 113 times out."

Here follows a packet trace.

With sending RSTs:
==================

      ----- Digital Unix end -----

[dxplus05] /afs/cern.ch/user/j/jlokier > time telnet pcep-jamie.cern.ch 1023
Trying 137.138.38.126...
telnet: Unable to connect to remote host: Connection refused

real   0.0
user   0.0
sys    0.0

      ----- Linux end -----

[root@pcep-jamie jladmin]# tcpdump 'host dxplus05 and ( port 1023 or icmp )'
tcpdump: listening on eth0
21:16:45.801494 dxplus05.cern.ch.3027 > pcep-jamie.cern.ch.1023: S 
1976881541:1976881541(0) win 32768 <mss 1460,nop,wscale 0> (DF) [tos 0x10]
21:16:45.801549 pcep-jamie.cern.ch.1023 > dxplus05.cern.ch.3027: R 0:0(0) ack 
1976881542 win 0 [tos 0x10]


With sending ICMP port unreachables:
====================================

      ----- Digital Unix end -----

[dxplus05] /afs/cern.ch/user/j/jlokier > time telnet pcep-jamie.cern.ch 1023
Trying 137.138.38.126...
telnet: Unable to connect to remote host: Connection refused

real   75.5
user   0.0
sys    0.0

     ----- Linux end -----

[root@pcep-jamie jladmin]# tcpdump 'host dxplus05 and ( port 1023 or icmp )'
tcpdump: listening on eth0
21:18:43.258838 dxplus05.cern.ch.3028 > pcep-jamie.cern.ch.1023: S 
2002830615:2002830615(0) win 32768 <mss 1460,nop,wscale 0> (DF) [tos 0x10]
21:18:43.259049 pcep-jamie.cern.ch > dxplus05.cern.ch: icmp: pcep-jamie.cern.ch tcp 
port 1023 unreachable [tos 0xd0]
21:18:44.698576 dxplus05.cern.ch.3028 > pcep-jamie.cern.ch.1023: S 
2002830615:2002830615(0) win 32768 <mss 1460,nop,wscale 0> (DF) [tos 0x10]
21:18:44.698772 pcep-jamie.cern.ch > dxplus05.cern.ch: icmp: pcep-jamie.cern.ch tcp 
port 1023 unreachable [tos 0xd0]
21:18:48.198642 dxplus05.cern.ch.3028 > pcep-jamie.cern.ch.1023: S 
2002830615:2002830615(0) win 32768 <mss 1460,nop,wscale 0> (DF) [tos 0x10]
21:18:48.198817 pcep-jamie.cern.ch > dxplus05.cern.ch: icmp: pcep-jamie.cern.ch tcp 
port 1023 unreachable [tos 0xd0]
21:18:54.698707 dxplus05.cern.ch.3028 > pcep-jamie.cern.ch.1023: S 
2002830615:2002830615(0) win 32768 <mss 1460,nop,wscale 0> (DF) [tos 0x10]
21:18:54.698954 pcep-jamie.cern.ch > dxplus05.cern.ch: icmp: pcep-jamie.cern.ch tcp 
port 1023 unreachable [tos 0xd0]
21:19:07.199260 dxplus05.cern.ch.3028 > pcep-jamie.cern.ch.1023: S 
2002830615:2002830615(0) win 32768 <mss 1460,nop,wscale 0> (DF) [tos 0x10]
21:19:07.199462 pcep-jamie.cern.ch > dxplus05.cern.ch: icmp: pcep-jamie.cern.ch tcp 
port 1023 unreachable [tos 0xd0]
21:19:31.699045 dxplus05.cern.ch.3028 > pcep-jamie.cern.ch.1023: S 
2002830615:2002830615(0) win 32768 <mss 1460,nop,wscale 0> (DF) [tos 0x10]
21:19:31.699216 pcep-jamie.cern.ch > dxplus05.cern.ch: icmp: pcep-jamie.cern.ch tcp 
port 1023 unreachable [tos 0xd0]


-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]

Reply via email to