1 |
* Roman Kennke <roman@××××××××××××.com> 9. Jan 04 |
2 |
> > From the technical aspect not to answer to a request is not the |
3 |
> > right behaviour of a device conform to RFCs. |
4 |
> What about a compromise like this: In general allow RFC-compliant |
5 |
> traffic, but thightly control REJECTs and some ICMP traffic with --limit |
6 |
> and DROP the rest, this should help alot against DoS (if this is at all |
7 |
> possible with REJECTs). |
8 |
|
9 |
You get my full acknowledge for this. More general I would restate, |
10 |
that you MUST[1] behave conform to RFCs as long as your communication |
11 |
partner does. If (s)he offends standards (say: repetitive ignoring ICMP |
12 |
errors) you MAY[1] leave standards for this host, too. |
13 |
|
14 |
Can we reach this agreement? |
15 |
Regards, Frank. |
16 |
===footnote=== |
17 |
[1] in the way another RFC defines this word |
18 |
-- |
19 |
Sigmentation fault |
20 |
|
21 |
-- |
22 |
gentoo-security@g.o mailing list |