Subject: Re: kern/10134: ipfilter with careless ICMP rules will send ICMP in response to ICMP
To: Wolfgang Rupprecht <>
From: Andrew Brown <>
List: netbsd-bugs
Date: 05/17/2000 09:34:37
>> 	I have a lot of sympathy with just saying "dont do that".
>> 	But I think the most-correct (vis-a-vis rfc1222)  action
>> 	is to modify IPfilter's  "block return-icmp" to check if the
>> 	blocked packet is an ICMP, and if it is, to silently
>> 	drop the ICMP packet.
>Although it would be beneficial if some ICMP's such as
>icmp-echo-request and icmp-echo-reply were allowed to generate ICMP
>error msgs.  It is only sending ICMP error messages in reply to ICMP
>error messages that cause the infinite-ping-ponging error message
>Personally I'd like to see as little policy in the code as possible
>and just put a big fat note in the ipfilter documentation that says
>always precede a return-icmp with a test for the error-icmp's and
>silently drop them.

or perhaps the syntax for ipfilter could be extended so that one could

   block return-icmp-as-dest in quick on <if0> proto icmp-err from <foo> to <bar>

>(Sort of like having the block for sending network packets
>off-host done via a user-level "route add -net
>-reject" call instead of hardwired in kernel code.)

um...exactly.  because it's not hardwired in kernel code and shouldn't

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."