Re: ipfilter, return-icmp and RFC1122

To: tech-net%NetBSD.org@localhost
Subject: Re: ipfilter, return-icmp and RFC1122
From: Petar Bogdanovic <petar%smokva.net@localhost>
Date: Thu, 5 Jun 2008 15:41:41 +0200

On Thu, Jun 05, 2008 at 09:33:05AM -0400, Jim Wise wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, 4 Jun 2008, Petar Bogdanovic wrote:
> 
> >Hi,
> >
> >I recently noticed that ipfilter with `block return-icmp' is returning
> >ICMP Type 3 Code 0 (Network unreachable) to the sender of a blocked
> >broadcast:
> >
> >     130.3.3.3 ---------[UDP%130.3.3.255@localhost]--------> 130.3.3.4
> >     130.3.3.3 <----[ICMP Network unreachable]---- 130.3.3.4
> >
> >
> >This seems wrong, considering RFC1122, page 39:
> 
> Note that IPF makes the return ICMP code configurable.  Try:
> 
>       block return-icmp-as-dest(port-unr) 
> 
> As noted down-thread, the default return value is perfectly appropriate 
> for a router, but less so for an end host.

I don't think that changing the return code would make ipfilter stop
responding to broadcasts. Or did you mean something else?


Petar

Follow-Ups:
- Re: ipfilter, return-icmp and RFC1122
  - From: Jim Wise

References:
- ipfilter, return-icmp and RFC1122
  - From: Petar Bogdanovic
- Re: ipfilter, return-icmp and RFC1122
  - From: Jim Wise

Prev by Date: Re: ipfilter, return-icmp and RFC1122
Next by Date: Re: ipfilter, return-icmp and RFC1122
Previous by Thread: Re: ipfilter, return-icmp and RFC1122
Next by Thread: Re: ipfilter, return-icmp and RFC1122
Indexes:

Home | Main Index | Thread Index | Old Index