Subject: Re: kern/10134: ipfilter with careless ICMP rules will send ICMP in response to ICMP
To: Wolfgang Rupprecht <firstname.lastname@example.org>
From: Andrew Brown <email@example.com>
Date: 05/17/2000 09:34:37
>> I have a lot of sympathy with just saying "dont do that".
>> But I think the most-correct (vis-a-vis rfc1222) action
>> is to modify IPfilter's "block return-icmp" to check if the
>> blocked packet is an ICMP, and if it is, to silently
>> drop the ICMP packet.
>Although it would be beneficial if some ICMP's such as
>icmp-echo-request and icmp-echo-reply were allowed to generate ICMP
>error msgs. It is only sending ICMP error messages in reply to ICMP
>error messages that cause the infinite-ping-ponging error message
>Personally I'd like to see as little policy in the code as possible
>and just put a big fat note in the ipfilter documentation that says
>always precede a return-icmp with a test for the error-icmp's and
>silently drop them.
or perhaps the syntax for ipfilter could be extended so that one could
block return-icmp-as-dest in quick on <if0> proto icmp-err from <foo> to <bar>
>(Sort of like having the block for sending network 127.0.0.0 packets
>off-host done via a user-level "route add -net 127.0.0.0 127.0.0.1
>-reject" call instead of hardwired in kernel code.)
um...exactly. because it's not hardwired in kernel code and shouldn't
|-----< "CODE WARRIOR" >-----|
firstname.lastname@example.org * "ah! i see you have the internet
email@example.com (Andrew Brown) that goes *ping*!"
firstname.lastname@example.org * "information is power -- share the wealth."