Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!cis.ohio-state.edu!zaphod.mps.ohio-state.edu!mstar!mstar.morningstar.com!bob From: bob@MorningStar.Com (Bob Sutterfield) Newsgroups: comp.protocols.tcp-ip Subject: well-behaved firewalls Message-ID: Date: 17 Jun 91 22:21:24 GMT Sender: usenet@MorningStar.COM (USENET Administrator) Reply-To: bob@MorningStar.Com (Bob Sutterfield) Organization: Morning Star Technologies Lines: 19 When a gateway is configured as a firewall, what is the polite thing to do about those packets that aren't passed? The packet itself should be dropped on the floor, but should the originating system be told anything about it? Suppose 25/tcp (SMTP) is allowed through but 23/tcp (Telnet) is blocked. Should the gateway return a Host Unreachable in response to a telnet request? Or maybe only a Port Unreachable or Protocol Unreachable, which would leave the originator wondering what other ports might be reachable or which protocols might be passed? RFC792 says that the destination host may send the Unreachable message back to the source host, but implies that only a host may send a Port or Protocol unreachable. Should the firewall, since it's assuming the filtering responsibility, also assume responsibility for the ICMP returns? RFC1009 doesn't seem to address this area except to suggest in 4.4 that address filters be supported, so I must rely on precedent for protocol filter behavior. What is polite? What is common?