ipfilter, return-icmp and RFC1122

To: tech-net%netbsd.org@localhost
Subject: ipfilter, return-icmp and RFC1122
From: Petar Bogdanovic <petar%smokva.net@localhost>
Date: Wed, 4 Jun 2008 15:03:06 +0200

Hi,

I recently noticed that ipfilter with `block return-icmp' is returning
ICMP Type 3 Code 0 (Network unreachable) to the sender of a blocked
broadcast:

        130.3.3.3 ---------[UDP%130.3.3.255@localhost]--------> 130.3.3.4
        130.3.3.3 <----[ICMP Network unreachable]---- 130.3.3.4


This seems wrong, considering RFC1122, page 39:

         An ICMP error message MUST NOT be sent as the result of
         receiving:

         *    an ICMP error message, or

         *    a datagram destined to an IP broadcast or IP multicast
              address, or

         *    a datagram sent as a link-layer broadcast, or

         *    a non-initial fragment, or

         *    a datagram whose source address does not define a single
              host -- e.g., a zero address, a loopback address, a
              broadcast address, a multicast address, or a Class E
              address.


Is this desired behaviour?

My ipf.conf:

        pass in  quick on lo0 all
        pass out quick on lo0 all

        block in quick from 192.168.0.0/16 to any
        block in quick from 172.16.0.0/12 to any
        block in quick from 10.0.0.0/8 to any
        block in quick from 127.0.0.0/8 to any
        block in quick from 0.0.0.0/8 to any
        block in quick from 169.254.0.0/16 to any
        block in quick from 192.0.2.0/24 to any
        block in quick from 204.152.64.0/23 to any
        block in quick from 224.0.0.0/3 to any

        block out log first level auth.info quick from any to 192.168.0.0/16
        block out log first level auth.info quick from any to 172.16.0.0/12
        block out log first level auth.info quick from any to 10.0.0.0/8
        block out log first level auth.info quick from any to 127.0.0.0/8
        block out log first level auth.info quick from any to 0.0.0.0/8
        block out log first level auth.info quick from any to 169.254.0.0/16
        block out log first level auth.info quick from any to 192.0.2.0/24
        block out log first level auth.info quick from any to 204.152.64.0/23
        block out log first level auth.info quick from any to 224.0.0.0/3

        block in  all
        block out all

        pass in  proto icmp icmp-type 3
        pass in  proto icmp icmp-type 8 keep state
        pass out proto icmp icmp-type 3
        pass out proto icmp icmp-type 8 keep state

        pass in proto udp from any to any port = 53 keep state
        pass in proto tcp from any to any port = 22 flags S keep state keep 
frags
        pass in proto tcp from any to any port = 25 flags S keep state keep 
frags
        pass in proto tcp from any to any port = 53 flags S keep state keep 
frags

        pass out proto udp from any to any port =  53 keep state
        pass out proto udp from any to any port = 123 keep state
        pass out proto tcp from any to any port =  25 flags S keep state keep 
frags
        pass out proto tcp from any to any port =  53 flags S keep state keep 
frags


Thanks,

Petar

Follow-Ups:
- Re: ipfilter, return-icmp and RFC1122
  - From: Jim Wise
- Re: ipfilter, return-icmp and RFC1122
  - From: Steven M. Bellovin
- Re: ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic

Prev by Date: USB and RNDIS?
Next by Date: Re: ipfilter, return-icmp and RFC1122
Previous by Thread: USB and RNDIS?
Next by Thread: Re: ipfilter, return-icmp and RFC1122
Indexes:

Home | Main Index | Thread Index | Old Index