Re: Firewalling in recent kernels

Bryn Paul Arnold Jones (bpaj@gytha.demon.co.uk)
Thu, 16 May 1996 02:41:40 +0100 (BST)


On Wed, 15 May 1996, Thomas Omerzu wrote:
> This basically works as expected, except for two problems:
>
> - When a disallowed connection is going to be established, the
> gateway rejects it with "ICMP host unreachable".
> I'm somewhat unsure whether this is a good idea, since actually
> the destination host might be reachable through other ports.
> (And I wouldn't be astonished if some OS takes such an ICMP as
> a reason to drop all already established connections to that
> destination.)
> Wouldn't it be better to just refuse that connection?
>

Hmm, shouldn't we be useing one of the higher (uncommented, 6-12) numbers
in the codes for UNREACH section in <linux/icmp.h> ?

> - If the target of a rejected connection is the gateway host,
> the connection is not rejected, but blocked (i.e. no ICMP is
> sent), just as if a "ipfwadm -O -a deny ..." had been set.
> This is a bug, isn't it?
>

Hmm, seem's to me this is the same as the last one (tho proberbly the
whole net rather than just the host).

>
> --
> MfG
> Thomas Omerzu
>
Bryn

--
PGP key pass phrase forgotten,   \ Overload -- core meltdown sequence 
again :(                          |            initiated.
                                 / This space is intentionally left   
                                |  blank, apart from this text ;-)
                                 \____________________________________