[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: ipfilter, return-icmp and RFC1122
On Thu, Jun 05, 2008 at 09:59:42AM -0400, Jim Wise wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Thu, 5 Jun 2008, Petar Bogdanovic wrote:
> >> Note that IPF makes the return ICMP code configurable. Try:
> >> block return-icmp-as-dest(port-unr)
> >> As noted down-thread, the default return value is perfectly appropriate
> >> for a router, but less so for an end host.
> >I don't think that changing the return code would make ipfilter stop
> >responding to broadcasts. Or did you mean something else?
> No, changing the return code would address the concern others have raised
> that `network unreachable' is not the right response for a host to return.
> On the broadcast question, as Mouse notes, IPF is doing what you told it to
> do -- since you've configured IPF to respond with an ICMP error for any
> packet which reaches it (there's no dst address clause in your rule), it is
> doing so.
> More generally, I'm not sure the value you see in having IPF on a _host_
> return an ICMP error, as doing so just advertises the host's presence (on
> the other hand, _not_ sending an ICMP error from a router would indicate
> that the destination address/port was `different'). What are you trying to
Returning rst/port-unr spares me (and others) timeouts when trying to
connect blocked ports. I often forget about the packet filter; hence an
immediate abort helps me remembering that there was something between..
Main Index |
Thread Index |