On the distinguished day of Feb 8, Ignatios Souvatzis stated:

> Hi,
>
> Bryan Phillippe wrote:
>
> > We should probably make an analogous change to tcp4 as well.  As
> > someone else pointed out, some firewalls (including the one I wrote for
> > my employer's network device) can return "administratively prohibited"
> > for blocked services.
>
> "can return"?
>
> What, if not this condition, would "administratively prohibited" be used
> for?

See RFC 1812 5.2.7.1 for the intended use of "administratively prohibitied"
(ICMP unreachable code 13).  Also see the two paragraphs following the code
enumeration for further guidelines on its use.

Most firewalls support the ability to choose between performing a
"discarding deny" or a "responding reject" for blocked services.  The
latter of which can be done either with a general ICMP unreachable of some
kind (such as code 13), or a protocol-specific method (such as RST for
TCP).  Most firewalls support the ability to use either.

-bp
--