From owner-freebsd-net Sat May 30 20:23:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA20761 for freebsd-net-outgoing; Sat, 30 May 1998 20:23:19 -0700 (PDT) (envelope-from owner-freebsd-net@FreeBSD.ORG) Received: from panda.hilink.com.au (panda.hilink.com.au [203.8.15.25]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA20716 for ; Sat, 30 May 1998 20:23:14 -0700 (PDT) (envelope-from danny@panda.hilink.com.au) Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.8.5) id NAA00753; Sun, 31 May 1998 13:22:39 +1000 (EST) Date: Sun, 31 May 1998 13:22:39 +1000 (EST) From: "Daniel O'Callaghan" To: Philippe Regnauld cc: security@deepo.prosa.dk, freebsd-net@FreeBSD.ORG Subject: Re: ipfw & icmp question In-Reply-To: <19980530234807.14632@deepo.prosa.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 30 May 1998, Philippe Regnauld wrote: > [crossposting to -net and -security -- shoot me if necessary] > > I am a bit puzzled regarding the following situation: > > I have a machine with IPFW setup to send "port unreachable" if > a connection attempt is made on port 113/TCP (identd). The policy > is default deny. Here is what happens when I do "telnet host 113" Poul-Henning had a good explanation of why FreeBSD does not immediately believe a port-unreach packet, but I can't remember it. The simplest is to send what the kernel would if you let the packet through - TCP RST. ipfw add X reset tcp from any to any 113 Danny /* Daniel O'Callaghan */ /* HiLink Internet danny@hilink.com.au */ /* FreeBSD - works hard, plays hard... danny@freebsd.org */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message