Applications will have to deal with that, yet there is no hint
unless we provide a well-known flag.
applications cannot be expected to deal with filters in any way other
than
to report that the communication is prohibited. the "well known" flag
exists and is called ICMP.
Well, that is emphatically *NOT* what application developers do. They do
not just observe that it does not work, they try to work around, e.g.
routing messages to a different address, at a different time, through a
third party, or through a different protocol.
Silently dropping packets is certainly not the right way to get an
application to stop trying. ICMP messages won't achieve that either:
since ICMP is insecure, it is routinely ignored.
Which actually poses an interesting question: when should an application
just give up? IMHO, there is only one clear-cut case, i.e. when the
application actually contacted the peer and obtained an explicit
statement that the planned exchange should not take place -- the
equivalent of a 4XX or 5XX error in SMTP or HTTP.
-- Christian Huitema