D. J. Bernstein writes:
> > I have talked to the firewall manufacturer about this, but they say that
> > there is nothing they can do.
>
> The firewall is converting TCP connection timeouts into successful TCP
> connections with no data. That's incorrect behavior.
>
> > Does anyone have any ideas or ways to get around this?
>
> Connect directly to the remote host, rather than the firewall. Fix the
> firewall.
This question actually comes up frequently on various technical mailing
lists and newsgroups. Unfortunately, there is no way within the POSIX
and BSD sockets API/SPI to make a program that can do this. Once a new
connection comes in, the program basically has to accept(), or else stop
selecting the listening fd for read, or close the listening fd. There
is no way to just ignore the connection without being constantly disturbed
but it being pending.
The problem is in the socket API design (and it's not the only problem
it has). You can prove me wrong with a program that _can_ do "the right
thing" with portable standard interface calls.
I do agree that it's incorrect behaviour. But since I don't see any fix
for it forthcoming, I think we just need to deal with the reality that
an established connection that summarily disconnects with no data is
effectively equivalent to connections that are refused and connections
that timeout. For SMTP that means the mail didn't go through.
Oh, I'd absolutely LOVE to be able to detect where a connection is coming
from even before I accept() it, and have a new API function to discard
the SYN so I can make it timeout, or maybe a new refuse() function so it
can force a connection refused scenario and pretend no one was listening
(basically to emulate that the daemon was not listening for that source).
I'd love to do that to known spammers and relays.
--
Phil Howard | [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
phil | [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
at | [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
ipal | [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
dot | [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
net | [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
