tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ipfilter, return-icmp and RFC1122

Hash: SHA1

On Thu, 5 Jun 2008, Petar Bogdanovic wrote:

>> Note that IPF makes the return ICMP code configurable.  Try:
>>      block return-icmp-as-dest(port-unr) 
>> As noted down-thread, the default return value is perfectly appropriate 
>> for a router, but less so for an end host.
>I don't think that changing the return code would make ipfilter stop
>responding to broadcasts. Or did you mean something else?

No, changing the return code would address the concern others have raised
that `network unreachable' is not the right response for a host to return.

On the broadcast question, as Mouse notes, IPF is doing what you told it to
do -- since you've configured IPF to respond with an ICMP error for any
packet which reaches it (there's no dst address clause in your rule), it is
doing so.

More generally, I'm not sure the value you see in having IPF on a _host_
return an ICMP error, as doing so just advertises the host's presence (on
the other hand, _not_ sending an ICMP error from a router would indicate
that the destination address/port was `different').  What are you trying to

- -- 
                                Jim Wise
Version: GnuPG v1.4.9 (NetBSD)


Home | Main Index | Thread Index | Old Index