Hello!
> Excellent, so a "tcprst" rule instead of "reject" in the host's packet
> firewall is ok then?
No principial objections. Why not?
Only I do not understand very well, why to do it. Port unreachable
or admin. prohibited have the same effect in practice. Or do you want
to cheat ICMP filterers? Well, it is made in more civilized way.
Or you want to get mighty kernel-based weapon to preempt alive tcp connections
in flight without applications' permission? Appropriate user space tools
may be found in any cracker's archive 8)8)
> I don't see how this changes anything. If firewalls masquerading as
> final destinations generate RSTs, it's because they _want_ the same
> behavior as a final destination sending RSTs!
It is exactly, what I try to prove. Firewall MUST NOT make this, because...
> I admit I don't know how these transients can happen.
Well, I see them every day! 8) Provider has firewall on international link,
doing trans. proxy on http and prohibiting access from foreign networks,
but connection to russian part of internet is direct. When BGP flaps,
we get all the connections to flapped routes killed instantly.
It is exactly why ICMP in established state are dropped unconditionally.
Alexey
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
