On Thu, Aug 23, 2001 at 04:53:26PM -0400, Barney Wolff wrote:
>
> As another heavy nmap user, I'd vote just the other way. It's useful
> to differentiate between a reset coming back from the destination host
> and an unreachable from a firewall/router-acl. Ordinary apps probably
> don't care all that much about why a connection could not be
> established, and just report the error to the user.
I suspect that most (good) applications use strerror(3) to map errors
into messages for the user. Today, users get "Network dropped
connection on reset"; with the patch they'd get "Connection refused".
I think the latter is preferred under POLA, especially when the former
is not a documented response to connect(2).
You have a valid point that icmp_may_rst changes nmap's behavior, even
with the proposed patch. If you want nmap's historic behavior (admin
prohib ==> filtered), then turning off icmp_may_rst works. With
icmp_may_rst turned on and the patch commited, you get the other
behavior (admin prohib ==> closed). Without the patch, nmap spews
errors and would need a FreeBSD-specific change.
regards,
--Scott
--
Scott Renfro <[EMAIL PROTECTED]> +1 650 862 4206
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
