Re: ipfilter, return-icmp and RFC1122

To: tech-net%NetBSD.org@localhost
Subject: Re: ipfilter, return-icmp and RFC1122
From: Petar Bogdanovic <petar%smokva.net@localhost>
Date: Thu, 5 Jun 2008 17:47:54 +0200

On Thu, Jun 05, 2008 at 11:08:42AM -0400, Jim Wise wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, 4 Jun 2008, Petar Bogdanovic wrote:
> 
> >     +block return-rst  in proto tcp
> >     +block return-icmp in proto udp
> 
> Note that a quick fix would be to treat the broadcast address `specially'
> for these rules.  So replace the above with:
> 
>     my_addr="10.2.3.4";
>     broadcast_addr="10.2.3.255";
> 
>     block from any to $broadcast_addr
>     block return-rst  in proto tcp
>     block return-icmp(port-unr) in proto udp from any to $my_addr
>     block return-icmp in proto udp
> 
> This should give the most `realistic' error responses for your non-open
> ports, unless I'm missing something (entirely possible).

I tried to avoid using host-dependent addresses in my filter rules,
since this copy of ipf.conf gets distributed among multiple hosts.

But maybe I should leave this path. Thanks for the hint.


Petar

References:
- ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic
- Re: ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic
- Re: ipfilter, return-icmp and RFC1122
  - From: Jim Wise

Prev by Date: Re: ipfilter, return-icmp and RFC1122
Next by Date: Re: ipfilter, return-icmp and RFC1122
Previous by Thread: Re: ipfilter, return-icmp and RFC1122
Next by Thread: Re: ipfilter, return-icmp and RFC1122
Indexes:

Home | Main Index | Thread Index | Old Index