Re: ipfilter, return-icmp and RFC1122

To: Petar Bogdanovic <petar%smokva.net@localhost>
Subject: Re: ipfilter, return-icmp and RFC1122
From: Jim Wise <jwise%draga.com@localhost>
Date: Thu, 5 Jun 2008 09:33:05 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 4 Jun 2008, Petar Bogdanovic wrote:

>Hi,
>
>I recently noticed that ipfilter with `block return-icmp' is returning
>ICMP Type 3 Code 0 (Network unreachable) to the sender of a blocked
>broadcast:
>
>       130.3.3.3 ---------[UDP%130.3.3.255@localhost]--------> 130.3.3.4
>       130.3.3.3 <----[ICMP Network unreachable]---- 130.3.3.4
>
>
>This seems wrong, considering RFC1122, page 39:

Note that IPF makes the return ICMP code configurable.  Try:

        block return-icmp-as-dest(port-unr) 

As noted down-thread, the default return value is perfectly appropriate 
for a router, but less so for an end host.

By the way, I think it's a bad idea to configure IPF to return 
'administratively prohibited' for blocked ports -- doing so allows a 
remote host to easily differentiate between blocked ports and open ports 
on which no daemon is currently running.

- -- 
                                Jim Wise
                                jwise%draga.com@localhost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iD8DBQFIR+sRq/KRbT0KwbwRAv/BAJ9cXZ69BlzNrds0kd2qvPDz+64xhQCfWwxs
oqqjwkpRyW4LMtV3z1MgqJ4=
=+2js
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic

References:
- ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic

Prev by Date: Re: ipfilter, return-icmp and RFC1122
Next by Date: Re: ipfilter, return-icmp and RFC1122
Previous by Thread: Re: ipfilter, return-icmp and RFC1122
Next by Thread: Re: ipfilter, return-icmp and RFC1122
Indexes:

Home | Main Index | Thread Index | Old Index