tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ipfilter, return-icmp and RFC1122



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 5 Jun 2008, John Nemeth wrote:

>} Note that a quick fix would be to treat the broadcast address `specially'
>} for these rules.  So replace the above with:
>} 
>}     my_addr="10.2.3.4";
>}     broadcast_addr="10.2.3.255";
>} 
>}     block from any to $broadcast_addr
>}     block return-rst  in proto tcp
>}     block return-icmp(port-unr) in proto udp from any to $my_addr
>}     block return-icmp in proto udp
>} 
>} This should give the most `realistic' error responses for your non-open
>} ports, unless I'm missing something (entirely possible).
>
>     IPF rules are last match, so wouldn't this cause the same
>problem?  Should the "block from any to $broadcast_addr" be at the
>bottom?

Yes, or rather, the rules should use 'block quick'.

- -- 
                                Jim Wise
                                jwise%draga.com@localhost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iD8DBQFISFSuq/KRbT0KwbwRAln6AJ9yXO68qMyWBA0CoyVL5984Bhh9LgCdGJ6V
ZxYc778ikGsmJVeDjvu+Arc=
=i1Hb
-----END PGP SIGNATURE-----


Home | Main Index | Thread Index | Old Index