tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ipfilter, return-icmp and RFC1122

Hash: SHA1

On Thu, 5 Jun 2008, John Nemeth wrote:

>} On the broadcast question, as Mouse notes, IPF is doing what you told it to
>} do -- since you've configured IPF to respond with an ICMP error for any
>} packet which reaches it (there's no dst address clause in your rule), it is
>} doing so.
>     This may be so based on a strict reading of the syntax, but it
>would be nice if IPF behaved in a sensible way by default and you had
>to explicitly misconfigure it in order to get improper behaviour.

Well, the default behavior is arguably right for a router (the more 
common IPF use case.  In any case, the error should be a rare one -- 
sssuming proper config of border routers, any broadcast packet you see 
reaching a host will have originated on the local subnet (or close), so 
such a response should be rare and local.

- -- 
                                Jim Wise
Version: GnuPG v1.4.9 (NetBSD)


Home | Main Index | Thread Index | Old Index