The problem is that the most common failure mode is *not*
getting an RST back, but getting NOTHING back because
some squirrely firewall between here and there is silently
dropping packets with bits it doesn't understand.
Ah ... that would definitely be a bug with the firewall, then.
However, a slight complication is that firewalls normally do not enter
into TCP/IP conversations as proxies for the true correspondents--so is
it really appropriate for a firewall to send a RST on behalf of some
other host? If the firewall really is a legitimate proxy as well, no
problem, but if it is intended to be fairly transparent, holding
conversations with a distant host in a way that gives the latter the
impression that it is talking to someone else is risky business.
I also don't see why a firewall would drop packets just because reserved
bits are set, although I can see why it might be a configurable option
for the most paranoid users.
Description: S/MIME Cryptographic Signature