[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: ipfilter, return-icmp and RFC1122
On Sep 20, 9:40pm, Jim Wise wrote:
} On Wed, 4 Jun 2008, Petar Bogdanovic wrote:
} >I recently noticed that ipfilter with `block return-icmp' is returning
} >ICMP Type 3 Code 0 (Network unreachable) to the sender of a blocked
} > 220.127.116.11 ---------[UDP%18.104.22.168@localhost]--------> 22.214.171.124
} > 126.96.36.199 <----[ICMP Network unreachable]---- 188.8.131.52
} >This seems wrong, considering RFC1122, page 39:
} Note that IPF makes the return ICMP code configurable. Try:
} block return-icmp-as-dest(port-unr)
} As noted down-thread, the default return value is perfectly appropriate
} for a router, but less so for an end host.
} By the way, I think it's a bad idea to configure IPF to return
} 'administratively prohibited' for blocked ports -- doing so allows a
} remote host to easily differentiate between blocked ports and open ports
} on which no daemon is currently running.
At the very least, I would return some kind of error for packets
headed to port 113 (ident) as a courtesy so that people/apps don't have
to wait for a timeout.
P.S. To anybody inclined to respond, I'm not interested in arguments
about the usefulness of the ident protocol.
}-- End of excerpt from Jim Wise
Main Index |
Thread Index |