I suggest that the ICMP unreachable affect connections only in SYN-SENT and only if the seq number matches, and that it not affect IPSEC'd connections at all. FYI, IPSEC does not run over GRE, but uses two protocol numbers of its own, 50 for ESP and 51 for AH. IKE uses UDP port 500, not TCP. Without the check on seq # & state as well as port/ip, it's too easy to DoS by blindly blasting unreachables to every source port. Barney Wolff To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
- what to do now ? Was: cvs commit: src/sys/netinet ip_icmp... Jesper Skriver
- Re: what to do now ? Was: cvs commit: src/sys/netine... Mike Silbersack
- Re: what to do now ? Was: cvs commit: src/sys/ne... Jesper Skriver
- Re: what to do now ? Was: cvs commit: src/sy... Barney Wolff
- Re: what to do now ? Was: cvs commit: sr... Jesper Skriver
- Re: what to do now ? Was: cvs commit: src/sys/netine... Don Lewis
- Re: what to do now ? Was: cvs commit: src/sys/ne... Jesper Skriver
- Re: what to do now ? Was: cvs commit: src/sy... Don Lewis
- Re: what to do now ? Was: cvs commit: sr... Jesper Skriver
- Re: what to do now ? Was: cvs commit: src/sys/netine... Jesper Skriver
- Re: what to do now ? Was: cvs commit: src/sys/ne... Don Lewis
- Re: what to do now ? Was: cvs commit: src/sy... Jesper Skriver
- Re: what to do now ? Was: cvs commit: sr... Jesper Skriver
- Re: what to do now ? Was: cvs commit: sr... Don Lewis
