tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ipfilter, return-icmp and RFC1122



On Oct 25,  3:57pm, "Steven M. Bellovin" wrote:
} On Wed, 4 Jun 2008 15:03:06 +0200
} Petar Bogdanovic <petar%smokva.net@localhost> wrote:
} 
} > I recently noticed that ipfilter with `block return-icmp' is returning
} > ICMP Type 3 Code 0 (Network unreachable) to the sender of a blocked
} > broadcast:
} > 
} >     130.3.3.3 ---------[UDP%130.3.3.255@localhost]--------> 130.3.3.4
} >     130.3.3.3 <----[ICMP Network unreachable]---- 130.3.3.4
} > 
} > 
} > This seems wrong, considering RFC1122, page 39:
} > 
} >          An ICMP error message MUST NOT be sent as the result of
} >          receiving:
} > 
} >          *    an ICMP error message, or
} > 
} >          *    a datagram destined to an IP broadcast or IP multicast
} >               address, or
} > 
} >          *    a datagram sent as a link-layer broadcast, or
} > 
} >          *    a non-initial fragment, or
} > 
} >          *    a datagram whose source address does not define a single
} >               host -- e.g., a zero address, a loopback address, a
} >               broadcast address, a multicast address, or a Class E
} >               address.
} > 
} > 
} > Is this desired behaviour?
} 
} I don't see the conflict.  The intent of that section of 1122 is to
} rule out troublesome ICMPs.  The first condition prevents loops; the
} second two prevent ICMP implosions, the fourth assumes that the initial

     Using the English language (which usually works with RFCs) along
with the RFC definition of "MUST NOT", it sure looks like either the
second or third condition applies depending on the link layer address.

} fragment will cause the proper message, and the last is for an ICMP
} that can't be delivered to a single host.  Your example concerns none
} of those cases.  Furthermore, the very next page of 1122 defines an
} ICMP type code for "administratively prohibited" communication, which
} is exactly what I hope ipf is returning here.

     The second line of the stuff you quoted says, "ICMP Type 3 Code 0
(Network unreachable)".  "administratively prohibited" would be Code 9,
10, or 13.

     The question I have is, is 130.3.3.4 a router of some sort?  If
not, then I believe it is misbehaving.  If so, then RFC1122 may not be
applicable as it only deals with end hosts.  However, even if it is a
router, it isn't a packet that needs to be passed through, so RFC1122
is probably still applicable.

}-- End of excerpt from "Steven M. Bellovin"


Home | Main Index | Thread Index | Old Index