Re: ipfilter, return-icmp and RFC1122

To: Jim Wise <jwise%draga.com@localhost>
Subject: Re: ipfilter, return-icmp and RFC1122
From: Darren Reed <darrenr%netbsd.org@localhost>
Date: Sun, 08 Jun 2008 12:58:31 -0700

Jim Wise wrote:

On Wed, 4 Jun 2008, Petar Bogdanovic wrote:

>    +block return-rst  in proto tcp
>    +block return-icmp in proto udp

Note that a quick fix would be to treat the broadcast address `specially'
for these rules.  So replace the above with:

    my_addr="10.2.3.4";
    broadcast_addr="10.2.3.255";

    block from any to $broadcast_addr
    block return-rst  in proto tcp
    block return-icmp(port-unr) in proto udp from any to $my_addr
    block return-icmp in proto udp

This should give the most `realistic' error responses for your non-open
ports, unless I'm missing something (entirely possible).


You don't need to specify the broadcast address:

block in quick all with bcast

And if you needed to do this for both broadcast and multicast:

block in quick all with mbcast

Darren

Follow-Ups:
- Re: ipfilter, return-icmp and RFC1122
  - From: Darren Reed
- Re: ipfilter, return-icmp and RFC1122
  - From: Jukka Salmi

References:
- ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic
- Re: ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic
- Re: ipfilter, return-icmp and RFC1122
  - From: Jim Wise

Prev by Date: Re: ipfilter, return-icmp and RFC1122
Next by Date: Re: ipfilter, return-icmp and RFC1122
Previous by Thread: Re: ipfilter, return-icmp and RFC1122
Next by Thread: Re: ipfilter, return-icmp and RFC1122
Indexes:

Home | Main Index | Thread Index | Old Index