On Sat, Dec 23, 2000 at 12:24:44PM +0000, Tony Finch wrote:
> Jesper Skriver <[EMAIL PROTECTED]> wrote:
> >
> >- If the sysctl net.inet.tcp.icmp_admin_prohib_like_rst == 1 (default)
> > it enables the below.
>
> I think those are the wrong semantics: ICMP administratively
> prohibited should work like host and network unreachable, i.e.
> existing connections should not be killed. (AFAICT the old code
> does that so I don't understand what's wrong with it.)
The code in the tree does exactly what you want, it only kill sessions
in SYN-SENT state, that is new sessions.
> The reason for this is illustrated by this real-life scenario: A pair
> of private (RFC 1918) networks are linked by a VPN. Each network is
> protected from the Internet with a firewall that filters all RFC 1918
> traffic. The networks' Internet connections are not reliable (e.g.
> dial-up links) and so neither is the VPN. When the VPN is down
> connections will start receiving ICMP administratively prohibited
> messages, but the connections shouldn't be killed because the VPN will
> probably come back soon when the link is restored.
In this case the end hosts will not recieve the ICMP messages, and
the "VPN tunnel" is not likely to be implemented with TCP sessions.
/Jesper
--
Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456
Work: Network manager @ AS3292 (Tele Danmark DataNetworks)
Private: Geek @ AS2109 (A much smaller network ;-)
One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
