tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ipfilter, return-icmp and RFC1122

On Sep 20,  9:40pm, Jim Wise wrote:
} On Wed, 4 Jun 2008, Petar Bogdanovic wrote:
} >I recently noticed that ipfilter with `block return-icmp' is returning
} >ICMP Type 3 Code 0 (Network unreachable) to the sender of a blocked
} >broadcast:
} >
} > ---------[UDP%]-------->
} > <----[ICMP Network unreachable]----
} >
} >
} >This seems wrong, considering RFC1122, page 39:
} Note that IPF makes the return ICMP code configurable.  Try:
}       block return-icmp-as-dest(port-unr) 
} As noted down-thread, the default return value is perfectly appropriate 
} for a router, but less so for an end host.
} By the way, I think it's a bad idea to configure IPF to return 
} 'administratively prohibited' for blocked ports -- doing so allows a 
} remote host to easily differentiate between blocked ports and open ports 
} on which no daemon is currently running.

     At the very least, I would return some kind of error for packets
headed to port 113 (ident) as a courtesy so that people/apps don't have
to wait for a timeout.

P.S. To anybody inclined to respond, I'm not interested in arguments
about the usefulness of the ident protocol.

}-- End of excerpt from Jim Wise

Home | Main Index | Thread Index | Old Index