smart@manta.mel.dit.csiro.au (Robert Smart) (07/29/90)
I thought I'd experiment with access restrictions on the Cisco. I set it up to deny access to port 13 (daytime) on my machine. Then I logged into another machine on the other side of the Cisco and did telnet mymachine 13 and my login to the remote machine got blown away! Obviously the returning "host unreachable" caused telnet (or maybe it was rlogin) to drop the connection. Now I don't think programs should give up so easily on the basis of host/network unreachable icmp messages, but since they do I wonder if returning ICMP unreachables can be disabled when only specific ports on a host are disabled. Or do I have to disable outgoing icmps on all the other interfaces? Another point is that this shows that there are circumstances where you would like to restrict packets coming from a given interface instead of having to put an identical restrictriction on all the other interfaces. Bob Smart <smart@mel.dit.csiro.au>
mrc@Tomobiki-Cho.CAC.Washington.EDU (Mark Crispin) (07/29/90)
In article <1990Jul28.234310.27064@mel.dit.csiro.au> smart@manta.mel.dit.csiro.au (Robert Smart) writes: >and my login to the remote machine got blown away! Obviously the returning >"host unreachable" caused telnet (or maybe it was rlogin) to drop the >connection. This is a bug in your system's Unix kernel. It afflicts many BSD-based Unix systems. At some time in the writing of BSD TCP, someone got the idea that ICMP Unreachables were so important that it should cause all pending read() or write() system calls on a TCP socket for that host to fail. The claim is that the user program should check the error code, realize it is not fatal, give a message to the user, and continue. The fact that no Unix user programs actually do this escaped this person, as did the real-world situation where ICMP Unreachables happen for transient conditions. I'll leave aside the issue of whether issuing a warning message (Milnet TAC's do this) is really a good idea in this day and age of file transfers and display editors. The fix is to make ICMP Unreachables only nuke open() calls, and let TCP (or the user's own impatience) deal with lost connections on a read() or write(). Nag your vendor to do this; I managed to get NeXT to do so and it was a big improvement! There are a couple of patches floating around on the network that disable ICMP Unreachable processing entirely. _____ | ____ ___|___ /__ Mark Crispin, 206 842-2385, R90/6 pilot, DoD#0105 _|_|_ -|- || __|__ / / 6158 Lariat Loop NE "Gaijin! Gaijin!" |_|_|_| |\-++- |===| / / Bainbridge Island, WA "Gaijin ha doko ka?" --|-- /| |||| |___| /\ USA 98110-2098 "Niichan ha gaijin." /|\ | |/\| _______ / \ "Chigau. Gaijin ja nai. Omae ha gaijin darou" / | \ | |__| / \ / \"Iie, boku ha nihonjin." "Souka. Yappari gaijin!" Hee, dakedo UNIX nanka wo tsukatte, umaku ikanaku temo shiranai yo.