icmp-host-unreachable as opposed to destination-unreachable
Martijn Lievaart
m at rtij.nl
Tue Mar 7 17:33:48 CET 2006
Derick Anderson zei:
>
>
> bclark said:
>> Hi all
>>
>> Would anyone be kind to explain why would a person reject a
>> connection to port 113 with icmp-host-unreachable as opposed
>> to destination-unreachable.
>> I probally dont understand the difference.
>> Just something I was wondering.
>>
>> Kind Regards
>> Brent Clark
>>
>
>>From what I can tell, icmp-host-unreachable is a code (1) for the
> destination-unreachable ICMP type (3). See
> http://www.spirit.com/Resources/icmp.html for a little more information,
> and Google RFC 792 for a lot more information.
>
> Basically though, "host-unreachable" is more specific than
> "destination-unreachable". I would think that code 3 would be more
> appropriate ("port unreachable") to this specific rule but then I don't
> bother with ident (port 113) rules. There's more information on that on
> this page: http://grc.com/port_113.htm.
Actually one should respond with a tcp reset to tcp/113. All icmp
*-unreachable replies can (and do) give differing results on different
sending tcp stacks.
HTH,
M4
More information about the netfilter
mailing list