Re: ipfilter, return-icmp and RFC1122

To: Petar Bogdanovic <petar%smokva.net@localhost>
Subject: Re: ipfilter, return-icmp and RFC1122
From: Jim Wise <jwise%draga.com@localhost>
Date: Thu, 5 Jun 2008 11:08:42 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 4 Jun 2008, Petar Bogdanovic wrote:

>       +block return-rst  in proto tcp
>       +block return-icmp in proto udp

Note that a quick fix would be to treat the broadcast address `specially'
for these rules.  So replace the above with:

    my_addr="10.2.3.4";
    broadcast_addr="10.2.3.255";

    block from any to $broadcast_addr
    block return-rst  in proto tcp
    block return-icmp(port-unr) in proto udp from any to $my_addr
    block return-icmp in proto udp

This should give the most `realistic' error responses for your non-open
ports, unless I'm missing something (entirely possible).

- -- 
                                Jim Wise
                                jwise%draga.com@localhost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iD8DBQFISAF6q/KRbT0KwbwRAre0AJ9axo7GmbXchVuUXnlKWq03cVVr9ACfYuTJ
TyFa7AaV0NYc62b4s9f50Hs=
=qAFL
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: ipfilter, return-icmp and RFC1122
  - From: Darren Reed
- Re: ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic

References:
- ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic
- Re: ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic

Prev by Date: Re: ipfilter, return-icmp and RFC1122
Next by Date: Re: ipfilter, return-icmp and RFC1122
Previous by Thread: Re: ipfilter, return-icmp and RFC1122
Next by Thread: Re: ipfilter, return-icmp and RFC1122
Indexes:

Home | Main Index | Thread Index | Old Index