Re: Firewalling in recent kernels

Alan Cox (alan@cymru.net)
Thu, 16 May 1996 10:21:00 +0100 (BST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alan Cox: "Re: 'java in kernel' defaults"
Previous message: Alan Cox: "Re: Plea. . ."

> > I'm somewhat unsure whether this is a good idea, since actually
> > the destination host might be reachable through other ports.
> > (And I wouldn't be astonished if some OS takes such an ICMP as
> > a reason to drop all already established connections to that
> > destination.)

Certain 4.2 BSD derived systems do indeed drop all connections to that
destination. Its a bug on their part and very exploitable as Im sure
you can imagine.

> Hmm, shouldn't we be useing one of the higher (uncommented, 6-12) numbers
> in the codes for UNREACH section in <linux/icmp.h> ?

Someone was supposed to be testing the effect of the newer options on old
stacks and seeing what occured. I've not heard anything back yet.

Alan

Next message: Alan Cox: "Re: 'java in kernel' defaults"
Previous message: Alan Cox: "Re: Plea. . ."