Re: ipfilter, return-icmp and RFC1122

To: Jim Wise <jwise%draga.com@localhost>
Subject: Re: ipfilter, return-icmp and RFC1122
From: Darren Reed <darrenr%netbsd.org@localhost>
Date: Sun, 08 Jun 2008 13:12:07 -0700

Darren Reed wrote:

Jim Wise wrote:

On Wed, 4 Jun 2008, Petar Bogdanovic wrote:

>    +block return-rst  in proto tcp
>    +block return-icmp in proto udp

Note that a quick fix would be to treat the broadcast address`specially'

for these rules.  So replace the above with:

    my_addr="10.2.3.4";
    broadcast_addr="10.2.3.255";

    block from any to $broadcast_addr
    block return-rst  in proto tcp
    block return-icmp(port-unr) in proto udp from any to $my_addr
    block return-icmp in proto udp

This should give the most `realistic' error responses for your non-open
ports, unless I'm missing something (entirely possible).


You don't need to specify the broadcast address:

block in quick all with bcast

And if you needed to do this for both broadcast and multicast:

block in quick all with mbcast


And you can also do:

block in quick on fxp0 from any to fxp0/bcast

(interface name in the "address" field must match the "on" name)

Cheers,
Darren

References:
- ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic
- Re: ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic
- Re: ipfilter, return-icmp and RFC1122
  - From: Jim Wise
- Re: ipfilter, return-icmp and RFC1122
  - From: Darren Reed

Prev by Date: Re: ipfilter, return-icmp and RFC1122
Next by Date: Uma frase e uma sugestao
Previous by Thread: Re: ipfilter, return-icmp and RFC1122
Next by Thread: Re: ipfilter, return-icmp and RFC1122
Indexes:

Home | Main Index | Thread Index | Old Index