Ben,
> Not quite. REJECT sends a TCP RST. Normal filtering routers would send an
> ICMP 3/13 (Administratively Prohibited) packet which won't always get to its
> destination.
I thought I had read somewhere that Linux sends an ICMP 3/3 (port
unreachable)... maybe other implementations do it differently. Anyway, the
result is the same.
> On a "normal" Cisco you can get this REJECT behaviour by _permitting_ the
> traffic as long as your mail server doesn't run identd. This sucks a bit
> from a security angle. If you're using NAT then you can be more elegant by
> having a NAT mapping for port 113 on all mailserver IP addresses that points
> to a "safe" host (I tend to use the router itself) whose TCP stack you trust
> to send back a TCP RST in the face of adversity and nasty packets.
Yes, I thing the best solution too is to send the standard RST
packet, that way and implementation should understand you perfectly. But
then, another layer of confs and docs to fill up.
Anyway, I guess there are so many differente implementations and
products that the only way to make sure that you're sendind an RST and not
an ICMP is to tcpdump.
-- p.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
