Subject: Re: kern/10134: ipfilter with careless ICMP rules will send ICMP in response to ICMP
To: None <firstname.lastname@example.org>
From: Wolfgang Rupprecht <email@example.com>
Date: 05/16/2000 17:15:24
> I have a lot of sympathy with just saying "dont do that".
> But I think the most-correct (vis-a-vis rfc1222) action
> is to modify IPfilter's "block return-icmp" to check if the
> blocked packet is an ICMP, and if it is, to silently
> drop the ICMP packet.
Although it would be beneficial if some ICMP's such as
icmp-echo-request and icmp-echo-reply were allowed to generate ICMP
error msgs. It is only sending ICMP error messages in reply to ICMP
error messages that cause the infinite-ping-ponging error message
Personally I'd like to see as little policy in the code as possible
and just put a big fat note in the ipfilter documentation that says
always precede a return-icmp with a test for the error-icmp's and
silently drop them.
(Sort of like having the block for sending network 127.0.0.0 packets
off-host done via a user-level "route add -net 127.0.0.0 127.0.0.1
-reject" call instead of hardwired in kernel code.)
Wolfgang Rupprecht <firstname.lastname@example.org>
DGPS signals via the Internet http://www.wsrcc.com/wolfgang/gps/dgps-ip.html