Re: ipfilter, return-icmp and RFC1122

To: tech-net%NetBSD.org@localhost
Subject: Re: ipfilter, return-icmp and RFC1122
From: der Mouse <mouse%Rodents.Montreal.QC.CA@localhost>
Date: Wed, 4 Jun 2008 11:16:16 -0400 (EDT)

>> I recently noticed that ipfilter with `block return-icmp' is
>> returning ICMP Type 3 Code 0 (Network unreachable) to the sender of
>> a blocked broadcast:

>>      130.3.3.3 ---------[UDP%130.3.3.255@localhost]--------> 130.3.3.4
>>      130.3.3.3 <----[ICMP Network unreachable]---- 130.3.3.4

>> This seems wrong, considering RFC1122, page 39:

>>          An ICMP error message MUST NOT be sent as the result of
>>          receiving:
[...]
>>          *    a datagram destined to an IP broadcast or IP multicast
>>               address, [...]

>       +block return-icmp in proto udp

I would say that the resulting behaviour is, strictly, wrong, but that
it's not ipf's fault: it's doing exactly what you told it to do.

I do not see any reason why ipf - or most other pieces of software, for
that matter - have to make it impossible, or even difficult, to violate
standards.  Just as I don't expect to be prevented from deleting the
postmaster alias in my mailer, or running 127.0.5.0/24 as an "ordinary"
Ethernet if I try, I don't expect ipf to impose all the Host
Requirements on me.

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               mouse%rodents.montreal.qc.ca@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic
- Re: ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic

Prev by Date: Re: ipfilter, return-icmp and RFC1122
Next by Date: Re: ipfilter, return-icmp and RFC1122
Previous by Thread: Re: ipfilter, return-icmp and RFC1122
Next by Thread: Re: ipfilter, return-icmp and RFC1122
Indexes:

Home | Main Index | Thread Index | Old Index