Re: ipfilter, return-icmp and RFC1122

To: tech-net%netbsd.org@localhost
Subject: Re: ipfilter, return-icmp and RFC1122
From: Petar Bogdanovic <petar%smokva.net@localhost>
Date: Wed, 4 Jun 2008 16:46:34 +0200

On Wed, Jun 04, 2008 at 03:03:06PM +0200, Petar Bogdanovic wrote:
> Hi,
> 
> I recently noticed that ipfilter with `block return-icmp' is returning
> ICMP Type 3 Code 0 (Network unreachable) to the sender of a blocked
> broadcast:
> 
>       130.3.3.3 ---------[UDP%130.3.3.255@localhost]--------> 130.3.3.4
>       130.3.3.3 <----[ICMP Network unreachable]---- 130.3.3.4
> 
> 
> This seems wrong, considering RFC1122, page 39:
> 
>          An ICMP error message MUST NOT be sent as the result of
>          receiving:
> 
>          *    an ICMP error message, or
> 
>          *    a datagram destined to an IP broadcast or IP multicast
>               address, or
> 
>          *    a datagram sent as a link-layer broadcast, or
> 
>          *    a non-initial fragment, or
> 
>          *    a datagram whose source address does not define a single
>               host -- e.g., a zero address, a loopback address, a
>               broadcast address, a multicast address, or a Class E
>               address.
> 
> 
> Is this desired behaviour?
> 
> My ipf.conf:

Oops, while removing the comments I removed the two most important
lines.  Here is my complete ipf.conf:

         pass in  quick on lo0 all
         pass out quick on lo0 all

         block in quick from 192.168.0.0/16 to any
         block in quick from 172.16.0.0/12 to any
         block in quick from 10.0.0.0/8 to any
         block in quick from 127.0.0.0/8 to any
         block in quick from 0.0.0.0/8 to any
         block in quick from 169.254.0.0/16 to any
         block in quick from 192.0.2.0/24 to any
         block in quick from 204.152.64.0/23 to any
         block in quick from 224.0.0.0/3 to any

         block out log first level auth.info quick from any to 192.168.0.0/16
         block out log first level auth.info quick from any to 172.16.0.0/12
         block out log first level auth.info quick from any to 10.0.0.0/8
         block out log first level auth.info quick from any to 127.0.0.0/8
         block out log first level auth.info quick from any to 0.0.0.0/8
         block out log first level auth.info quick from any to 169.254.0.0/16
         block out log first level auth.info quick from any to 192.0.2.0/24
         block out log first level auth.info quick from any to 204.152.64.0/23
         block out log first level auth.info quick from any to 224.0.0.0/3

         block in  all
         block out all

        +block return-rst  in proto tcp
        +block return-icmp in proto udp

         pass in  proto icmp icmp-type 3
         pass out proto icmp icmp-type 3

         pass in  proto icmp icmp-type 8 keep state
         pass out proto icmp icmp-type 8 keep state

         pass in proto udp from any to any port = 53 keep state
         pass in proto tcp from any to any port = 22 flags S keep state keep 
frags
         pass in proto tcp from any to any port = 25 flags S keep state keep 
frags
         pass in proto tcp from any to any port = 53 flags S keep state keep 
frags

         pass out proto udp from any to any port =  53 keep state
         pass out proto udp from any to any port = 123 keep state
         pass out proto tcp from any to any port =  25 flags S keep state keep 
frags
         pass out proto tcp from any to any port =  53 flags S keep state keep 
frags


Petar

Follow-Ups:
- Re: ipfilter, return-icmp and RFC1122
  - From: Jim Wise
- Re: ipfilter, return-icmp and RFC1122
  - From: der Mouse

References:
- ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic

Prev by Date: ipfilter, return-icmp and RFC1122
Next by Date: Re: ipfilter, return-icmp and RFC1122
Previous by Thread: ipfilter, return-icmp and RFC1122
Next by Thread: Re: ipfilter, return-icmp and RFC1122
Indexes:

Home | Main Index | Thread Index | Old Index