Re: ipfilter, return-icmp and RFC1122

[Petar Bogdanovic <petar%smokva.net@localhost>]

On Thu, Jun 05, 2008 at 01:34:26AM -0700, John Nemeth wrote:
> On Oct 25,  3:57pm, "Steven M. Bellovin" wrote:
> } On Wed, 4 Jun 2008 15:03:06 +0200
> } Petar Bogdanovic <petar%smokva.net@localhost> wrote:
> } 
> } > I recently noticed that ipfilter with `block return-icmp' is returning
> } > ICMP Type 3 Code 0 (Network unreachable) to the sender of a blocked
> } > broadcast:
> } > 
> } >   130.3.3.3 ---------[UDP%130.3.3.255@localhost]--------> 130.3.3.4
> } >   130.3.3.3 <----[ICMP Network unreachable]---- 130.3.3.4
> } > 
> } > 
> } > This seems wrong, considering RFC1122, page 39:
> } > 
> } >          An ICMP error message MUST NOT be sent as the result of
> } >          receiving:
> } > 
> } >          *    an ICMP error message, or
> } > 
> } >          *    a datagram destined to an IP broadcast or IP multicast
> } >               address, or
> } > 
> } >          *    a datagram sent as a link-layer broadcast, or
> } > 
> } >          *    a non-initial fragment, or
> } > 
> } >          *    a datagram whose source address does not define a single
> } >               host -- e.g., a zero address, a loopback address, a
> } >               broadcast address, a multicast address, or a Class E
> } >               address.
> } > 
> } > 
> } > Is this desired behaviour?
> } 
> } I don't see the conflict.  The intent of that section of 1122 is to
> } rule out troublesome ICMPs.  The first condition prevents loops; the
> } second two prevent ICMP implosions, the fourth assumes that the initial
> 
>      Using the English language (which usually works with RFCs) along
> with the RFC definition of "MUST NOT", it sure looks like either the
> second or third condition applies depending on the link layer address.
> 
> } fragment will cause the proper message, and the last is for an ICMP
> } that can't be delivered to a single host.  Your example concerns none
> } of those cases.  Furthermore, the very next page of 1122 defines an
> } ICMP type code for "administratively prohibited" communication, which
> } is exactly what I hope ipf is returning here.
> 
>      The second line of the stuff you quoted says, "ICMP Type 3 Code 0
> (Network unreachable)".  "administratively prohibited" would be Code 9,
> 10, or 13.
> 
>      The question I have is, is 130.3.3.4 a router of some sort?

No, it's not a router:

        # sysctl -a | grep forwarding
        net.inet.ip.forwarding = 0
        net.inet6.ip6.forwarding = 0

        # ifconfig -a | grep '^[a-z]' 
        fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33192


Petar