Re: ipfilter, return-icmp and RFC1122

To: Jim Wise <jwise%draga.com@localhost>, Petar Bogdanovic <petar%smokva.net@localhost>
Subject: Re: ipfilter, return-icmp and RFC1122
From: jnemeth%victoria.tc.ca@localhost (John Nemeth)
Date: Thu, 5 Jun 2008 11:42:32 -0700

On Sep 20, 10:07pm, Jim Wise wrote:
} On Thu, 5 Jun 2008, Petar Bogdanovic wrote:
} 
} >> Note that IPF makes the return ICMP code configurable.  Try:
} >> 
} >>    block return-icmp-as-dest(port-unr) 
} >> 
} >> As noted down-thread, the default return value is perfectly appropriate 
} >> for a router, but less so for an end host.
} >
} >I don't think that changing the return code would make ipfilter stop
} >responding to broadcasts. Or did you mean something else?
} 
} No, changing the return code would address the concern others have raised
} that `network unreachable' is not the right response for a host to return.
} 
} On the broadcast question, as Mouse notes, IPF is doing what you told it to
} do -- since you've configured IPF to respond with an ICMP error for any
} packet which reaches it (there's no dst address clause in your rule), it is
} doing so.

     This may be so based on a strict reading of the syntax, but it
would be nice if IPF behaved in a sensible way by default and you had
to explicitly misconfigure it in order to get improper behaviour.

}-- End of excerpt from Jim Wise

Follow-Ups:
- Re: ipfilter, return-icmp and RFC1122
  - From: Jim Wise

Prev by Date: Re: ipfilter, return-icmp and RFC1122
Next by Date: Re: ipfilter, return-icmp and RFC1122
Previous by Thread: Re: ipfilter, return-icmp and RFC1122
Next by Thread: Re: ipfilter, return-icmp and RFC1122
Indexes:

Home | Main Index | Thread Index | Old Index