Subject: Re: kern/10134: ipfilter with careless ICMP rules will send ICMP in response to ICMP
To: Wolfgang Rupprecht <wolfgang@wsrcc.com>
From: Andrew Brown <atatat@atatdot.net>
List: netbsd-bugs
Date: 05/17/2000 09:34:37
>> 	I have a lot of sympathy with just saying "dont do that".
>> 	But I think the most-correct (vis-a-vis rfc1222)  action
>> 	is to modify IPfilter's  "block return-icmp" to check if the
>> 	blocked packet is an ICMP, and if it is, to silently
>> 	drop the ICMP packet.
>
>Although it would be beneficial if some ICMP's such as
>icmp-echo-request and icmp-echo-reply were allowed to generate ICMP
>error msgs.  It is only sending ICMP error messages in reply to ICMP
>error messages that cause the infinite-ping-ponging error message
>problem.
>
>Personally I'd like to see as little policy in the code as possible
>and just put a big fat note in the ipfilter documentation that says
>always precede a return-icmp with a test for the error-icmp's and
>silently drop them.

or perhaps the syntax for ipfilter could be extended so that one could
say

   block return-icmp-as-dest in quick on <if0> proto icmp-err from <foo> to <bar>

>(Sort of like having the block for sending network 127.0.0.0 packets
>off-host done via a user-level "route add -net 127.0.0.0 127.0.0.1
>-reject" call instead of hardwired in kernel code.)

um...exactly.  because it's not hardwired in kernel code and shouldn't
be.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."