Jesper Skriver <[EMAIL PROTECTED]> wrote:
>
>- If the sysctl net.inet.tcp.icmp_admin_prohib_like_rst == 1 (default)
> it enables the below.
I think those are the wrong semantics: ICMP administratively
prohibited should work like host and network unreachable, i.e.
existing connections should not be killed. (AFAICT the old code
does that so I don't understand what's wrong with it.)
The reason for this is illustrated by this real-life scenario: A pair
of private (RFC 1918) networks are linked by a VPN. Each network is
protected from the Internet with a firewall that filters all RFC 1918
traffic. The networks' Internet connections are not reliable (e.g.
dial-up links) and so neither is the VPN. When the VPN is down
connections will start receiving ICMP administratively prohibited
messages, but the connections shouldn't be killed because the VPN will
probably come back soon when the link is restored.
Tony.
--
f.a.n.finch [EMAIL PROTECTED] [EMAIL PROTECTED]
"Dead! And yet there he stands!"
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
