Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!caen!Firewall!genesis!kdenning From: kdenning@genesis.Naitc.Com (Karl Denninger) Newsgroups: comp.protocols.tcp-ip Subject: Re: well-behaved firewalls Summary: What we do here Message-ID: <1991Jun18.162158.28370@Firewall.Nielsen.Com> Date: 18 Jun 91 16:21:58 GMT References: Sender: news@Firewall.Nielsen.Com (Usenet News) Organization: AC Nielsen Co., Bannockburn IL Lines: 35 Nntp-Posting-Host: genesis.naitc.com In article bob@MorningStar.Com (Bob Sutterfield) writes: >When a gateway is configured as a firewall, what is the polite thing >to do about those packets that aren't passed? The packet itself >should be dropped on the floor, but should the originating system be >told anything about it? > >Suppose 25/tcp (SMTP) is allowed through but 23/tcp (Telnet) is >blocked. Should the gateway return a Host Unreachable in response to >a telnet request? Or maybe only a Port Unreachable or Protocol >Unreachable, which would leave the originator wondering what other >ports might be reachable or which protocols might be passed? RFC792 >says that the destination host may send the Unreachable message back >to the source host, but implies that only a host may send a Port or >Protocol unreachable. Should the firewall, since it's assuming the >filtering responsibility, also assume responsibility for the ICMP >returns? I return a "host unreachable" for any hosts behind our firewall. On >all< protocols and ports. This is as (from my reading) it should be -- the host IS unreachable. IF you're doing SMTP mail, and don't recognize the MX records, you will end up bouncing the mail. Then again, if you're doing SMTP, you should know what an MX record is ;-) The choice of having all points beyond the firewall unreachable directly was a policy one here at the company.... -- Karl Denninger - AC Nielsen, Bannockburn IL (708) 317-3285 kdenning@nis.naitc.com "The most dangerous command on any computer is the carriage return." Disclaimer: The opinions here are solely mine and may or may not reflect those of the company.