DoS, ICMP, proxies, SYNDefender

Thanks for the RFC quote..... I've been hacking code for
hours and just the qoute is a big help.


On the SYNDefender firewall..... if we are interested in
firewalls, then the 'elegant firewall solution' is, IMO,
to insure that our gateways send ICMP UNREACHABLE messages
back to the host. Then it is somewhat easy to do the
kernel checks to free SYN_REVC 'zombies'

For example it is two hops from here to the provider host
that blackholes the SYN/ACK second part of the handshake.
If that gateway would send me an UNREACHABLE message,
it would be easy to just end RST as in the no-problem
reachable state.

And, TCP remains an end-to-end protocol, which, I think, we
all would think would be 'elegant'.....

I feel like a cheerleader 'Give me an U N R E A C H A B L E'
wha-at-ya-got .........

Best Regards,