Re: ipfilter, return-icmp and RFC1122

["Steven M. Bellovin" <smb%cs.columbia.edu@localhost>]

On Wed, 4 Jun 2008 15:03:06 +0200
Petar Bogdanovic <petar%smokva.net@localhost> wrote:

> Hi,
> 
> I recently noticed that ipfilter with `block return-icmp' is returning
> ICMP Type 3 Code 0 (Network unreachable) to the sender of a blocked
> broadcast:
> 
>       130.3.3.3 ---------[UDP%130.3.3.255@localhost]--------> 130.3.3.4
>       130.3.3.3 <----[ICMP Network unreachable]---- 130.3.3.4
> 
> 
> This seems wrong, considering RFC1122, page 39:
> 
>          An ICMP error message MUST NOT be sent as the result of
>          receiving:
> 
>          *    an ICMP error message, or
> 
>          *    a datagram destined to an IP broadcast or IP multicast
>               address, or
> 
>          *    a datagram sent as a link-layer broadcast, or
> 
>          *    a non-initial fragment, or
> 
>          *    a datagram whose source address does not define a single
>               host -- e.g., a zero address, a loopback address, a
>               broadcast address, a multicast address, or a Class E
>               address.
> 
> 
> Is this desired behaviour?
> 

I don't see the conflict.  The intent of that section of 1122 is to
rule out troublesome ICMPs.  The first condition prevents loops; the
second two prevent ICMP implosions, the fourth assumes that the initial
fragment will cause the proper message, and the last is for an ICMP
that can't be delivered to a single host.  Your example concerns none
of those cases.  Furthermore, the very next page of 1122 defines an
ICMP type code for "administratively prohibited" communication, which
is exactly what I hope ipf is returning here.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb