Petar Bogdanovic
2008-06-04 13:03:06 UTC
Hi,
I recently noticed that ipfilter with `block return-icmp' is returning
ICMP Type 3 Code 0 (Network unreachable) to the sender of a blocked
broadcast:
130.3.3.3 ---------[***@130.3.3.255]--------> 130.3.3.4
130.3.3.3 <----[ICMP Network unreachable]---- 130.3.3.4
This seems wrong, considering RFC1122, page 39:
An ICMP error message MUST NOT be sent as the result of
receiving:
* an ICMP error message, or
* a datagram destined to an IP broadcast or IP multicast
address, or
* a datagram sent as a link-layer broadcast, or
* a non-initial fragment, or
* a datagram whose source address does not define a single
host -- e.g., a zero address, a loopback address, a
broadcast address, a multicast address, or a Class E
address.
Is this desired behaviour?
My ipf.conf:
pass in quick on lo0 all
pass out quick on lo0 all
block in quick from 192.168.0.0/16 to any
block in quick from 172.16.0.0/12 to any
block in quick from 10.0.0.0/8 to any
block in quick from 127.0.0.0/8 to any
block in quick from 0.0.0.0/8 to any
block in quick from 169.254.0.0/16 to any
block in quick from 192.0.2.0/24 to any
block in quick from 204.152.64.0/23 to any
block in quick from 224.0.0.0/3 to any
block out log first level auth.info quick from any to 192.168.0.0/16
block out log first level auth.info quick from any to 172.16.0.0/12
block out log first level auth.info quick from any to 10.0.0.0/8
block out log first level auth.info quick from any to 127.0.0.0/8
block out log first level auth.info quick from any to 0.0.0.0/8
block out log first level auth.info quick from any to 169.254.0.0/16
block out log first level auth.info quick from any to 192.0.2.0/24
block out log first level auth.info quick from any to 204.152.64.0/23
block out log first level auth.info quick from any to 224.0.0.0/3
block in all
block out all
pass in proto icmp icmp-type 3
pass in proto icmp icmp-type 8 keep state
pass out proto icmp icmp-type 3
pass out proto icmp icmp-type 8 keep state
pass in proto udp from any to any port = 53 keep state
pass in proto tcp from any to any port = 22 flags S keep state keep frags
pass in proto tcp from any to any port = 25 flags S keep state keep frags
pass in proto tcp from any to any port = 53 flags S keep state keep frags
pass out proto udp from any to any port = 53 keep state
pass out proto udp from any to any port = 123 keep state
pass out proto tcp from any to any port = 25 flags S keep state keep frags
pass out proto tcp from any to any port = 53 flags S keep state keep frags
Thanks,
Petar
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
I recently noticed that ipfilter with `block return-icmp' is returning
ICMP Type 3 Code 0 (Network unreachable) to the sender of a blocked
broadcast:
130.3.3.3 ---------[***@130.3.3.255]--------> 130.3.3.4
130.3.3.3 <----[ICMP Network unreachable]---- 130.3.3.4
This seems wrong, considering RFC1122, page 39:
An ICMP error message MUST NOT be sent as the result of
receiving:
* an ICMP error message, or
* a datagram destined to an IP broadcast or IP multicast
address, or
* a datagram sent as a link-layer broadcast, or
* a non-initial fragment, or
* a datagram whose source address does not define a single
host -- e.g., a zero address, a loopback address, a
broadcast address, a multicast address, or a Class E
address.
Is this desired behaviour?
My ipf.conf:
pass in quick on lo0 all
pass out quick on lo0 all
block in quick from 192.168.0.0/16 to any
block in quick from 172.16.0.0/12 to any
block in quick from 10.0.0.0/8 to any
block in quick from 127.0.0.0/8 to any
block in quick from 0.0.0.0/8 to any
block in quick from 169.254.0.0/16 to any
block in quick from 192.0.2.0/24 to any
block in quick from 204.152.64.0/23 to any
block in quick from 224.0.0.0/3 to any
block out log first level auth.info quick from any to 192.168.0.0/16
block out log first level auth.info quick from any to 172.16.0.0/12
block out log first level auth.info quick from any to 10.0.0.0/8
block out log first level auth.info quick from any to 127.0.0.0/8
block out log first level auth.info quick from any to 0.0.0.0/8
block out log first level auth.info quick from any to 169.254.0.0/16
block out log first level auth.info quick from any to 192.0.2.0/24
block out log first level auth.info quick from any to 204.152.64.0/23
block out log first level auth.info quick from any to 224.0.0.0/3
block in all
block out all
pass in proto icmp icmp-type 3
pass in proto icmp icmp-type 8 keep state
pass out proto icmp icmp-type 3
pass out proto icmp icmp-type 8 keep state
pass in proto udp from any to any port = 53 keep state
pass in proto tcp from any to any port = 22 flags S keep state keep frags
pass in proto tcp from any to any port = 25 flags S keep state keep frags
pass in proto tcp from any to any port = 53 flags S keep state keep frags
pass out proto udp from any to any port = 53 keep state
pass out proto udp from any to any port = 123 keep state
pass out proto tcp from any to any port = 25 flags S keep state keep frags
pass out proto tcp from any to any port = 53 flags S keep state keep frags
Thanks,
Petar
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de