Re: ipfilter, return-icmp and RFC1122

On Wed, 4 Jun 2008 15:03:06 +0200
Petar Bogdanovic <> wrote:

> Hi,
> I recently noticed that ipfilter with `block return-icmp' is returning
> ICMP Type 3 Code 0 (Network unreachable) to the sender of a blocked
> broadcast:
> ---------[UDP%]-------->
> <----[ICMP Network unreachable]----
> This seems wrong, considering RFC1122, page 39:
>          An ICMP error message MUST NOT be sent as the result of
>          receiving:
>          *    an ICMP error message, or
>          *    a datagram destined to an IP broadcast or IP multicast
>               address, or
>          *    a datagram sent as a link-layer broadcast, or
>          *    a non-initial fragment, or
>          *    a datagram whose source address does not define a single
>               host -- e.g., a zero address, a loopback address, a
>               broadcast address, a multicast address, or a Class E
>               address.
> Is this desired behaviour?

I don't see the conflict.  The intent of that section of 1122 is to
rule out troublesome ICMPs.  The first condition prevents loops; the
second two prevent ICMP implosions, the fourth assumes that the initial
fragment will cause the proper message, and the last is for an ICMP
that can't be delivered to a single host.  Your example concerns none
of those cases.  Furthermore, the very next page of 1122 defines an
ICMP type code for "administratively prohibited" communication, which
is exactly what I hope ipf is returning here.

                --Steve Bellovin,

