Re: ipfilter, return-icmp and RFC1122

To: John Nemeth <jnemeth%victoria.tc.ca@localhost>
Subject: Re: ipfilter, return-icmp and RFC1122
From: Jim Wise <jwise%draga.com@localhost>
Date: Thu, 5 Jun 2008 17:06:47 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 5 Jun 2008, John Nemeth wrote:

>} On the broadcast question, as Mouse notes, IPF is doing what you told it to
>} do -- since you've configured IPF to respond with an ICMP error for any
>} packet which reaches it (there's no dst address clause in your rule), it is
>} doing so.
>
>     This may be so based on a strict reading of the syntax, but it
>would be nice if IPF behaved in a sensible way by default and you had
>to explicitly misconfigure it in order to get improper behaviour.

Well, the default behavior is arguably right for a router (the more 
common IPF use case.  In any case, the error should be a rare one -- 
sssuming proper config of border routers, any broadcast packet you see 
reaching a host will have originated on the local subnet (or close), so 
such a response should be rare and local.

- -- 
                                Jim Wise
                                jwise%draga.com@localhost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iD8DBQFISFVnq/KRbT0KwbwRAtRfAJ9I0/unNj8huw5bS7ysgjMYA0r2RQCfVIVj
3nWdaQ+kd0xndYhdzOQ3GOM=
=a+1H
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: ipfilter, return-icmp and RFC1122
  - From: Dennis Ferguson

References:
- Re: ipfilter, return-icmp and RFC1122
  - From: John Nemeth

Prev by Date: Re: ipfilter, return-icmp and RFC1122
Next by Date: Re: ipfilter, return-icmp and RFC1122
Previous by Thread: Re: ipfilter, return-icmp and RFC1122
Next by Thread: Re: ipfilter, return-icmp and RFC1122
Indexes:

Home | Main Index | Thread Index | Old Index