Re: ipfilter, return-icmp and RFC1122

To: Jim Wise <jwise%draga.com@localhost>, Petar Bogdanovic <petar%smokva.net@localhost>
Subject: Re: ipfilter, return-icmp and RFC1122
From: jnemeth%victoria.tc.ca@localhost (John Nemeth)
Date: Thu, 5 Jun 2008 11:40:06 -0700

On Sep 20,  9:40pm, Jim Wise wrote:
} On Wed, 4 Jun 2008, Petar Bogdanovic wrote:
} 
} >I recently noticed that ipfilter with `block return-icmp' is returning
} >ICMP Type 3 Code 0 (Network unreachable) to the sender of a blocked
} >broadcast:
} >
} >     130.3.3.3 ---------[UDP%130.3.3.255@localhost]--------> 130.3.3.4
} >     130.3.3.3 <----[ICMP Network unreachable]---- 130.3.3.4
} >
} >
} >This seems wrong, considering RFC1122, page 39:
} 
} Note that IPF makes the return ICMP code configurable.  Try:
} 
}       block return-icmp-as-dest(port-unr) 
} 
} As noted down-thread, the default return value is perfectly appropriate 
} for a router, but less so for an end host.
} 
} By the way, I think it's a bad idea to configure IPF to return 
} 'administratively prohibited' for blocked ports -- doing so allows a 
} remote host to easily differentiate between blocked ports and open ports 
} on which no daemon is currently running.

     At the very least, I would return some kind of error for packets
headed to port 113 (ident) as a courtesy so that people/apps don't have
to wait for a timeout.

P.S. To anybody inclined to respond, I'm not interested in arguments
about the usefulness of the ident protocol.

}-- End of excerpt from Jim Wise

Follow-Ups:
- Re: ipfilter, return-icmp and RFC1122
  - From: der Mouse

Prev by Date: Re: ipfilter, return-icmp and RFC1122
Next by Date: Re: ipfilter, return-icmp and RFC1122
Previous by Thread: Re: ipfilter, return-icmp and RFC1122
Next by Thread: Re: ipfilter, return-icmp and RFC1122
Indexes:

Home | Main Index | Thread Index | Old Index