Re: ipfilter, return-icmp and RFC1122

[Petar Bogdanovic <petar%smokva.net@localhost>]

On Thu, Jun 05, 2008 at 09:59:42AM -0400, Jim Wise wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thu, 5 Jun 2008, Petar Bogdanovic wrote:
> 
> >> Note that IPF makes the return ICMP code configurable.  Try:
> >> 
> >>    block return-icmp-as-dest(port-unr) 
> >> 
> >> As noted down-thread, the default return value is perfectly appropriate 
> >> for a router, but less so for an end host.
> >
> >I don't think that changing the return code would make ipfilter stop
> >responding to broadcasts. Or did you mean something else?
> 
> 
> No, changing the return code would address the concern others have raised
> that `network unreachable' is not the right response for a host to return.
> 
> On the broadcast question, as Mouse notes, IPF is doing what you told it to
> do -- since you've configured IPF to respond with an ICMP error for any
> packet which reaches it (there's no dst address clause in your rule), it is
> doing so.
> 
> More generally, I'm not sure the value you see in having IPF on a _host_
> return an ICMP error, as doing so just advertises the host's presence (on
> the other hand, _not_ sending an ICMP error from a router would indicate
> that the destination address/port was `different').  What are you trying to
> accomplish?

Returning rst/port-unr spares me (and others) timeouts when trying to
connect blocked ports.  I often forget about the packet filter; hence an
immediate abort helps me remembering that there was something between..


Petar