From owner-freebsd-stable  Tue Mar 10 11:11:14 1998
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA28970
          for freebsd-stable-outgoing; Tue, 10 Mar 1998 11:11:14 -0800 (PST)
          (envelope-from owner-freebsd-stable@FreeBSD.ORG)
Received: from gw.jmrodgers.com ([205.247.224.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA28840
          for <stable@FreeBSD.ORG>; Tue, 10 Mar 1998 11:10:38 -0800 (PST)
          (envelope-from meuston@jmrodgers.com)
Received: from max.jmrodgers.com (max.jmrodgers.com [205.247.224.209])
	by gw.jmrodgers.com (8.8.8/8.8.8) with SMTP id OAA09560;
	Tue, 10 Mar 1998 14:08:52 -0500 (EST)
	(envelope-from meuston@jmrodgers.com)
Received: by localhost with Microsoft MAPI; Tue, 10 Mar 1998 14:07:35 -0500
Message-ID: <01BD4C2D.DFF29BE0.meuston@jmrodgers.com>
From: Max Euston <meuston@jmrodgers.com>
To: "'Alex Nash'" <nash@Mcs.Net>, Mike Tancsa <mike@sentex.net>
Cc: "stable@FreeBSD.ORG" <stable@FreeBSD.ORG>
Subject: RE: ipfw unreach statement help
Date: Tue, 10 Mar 1998 14:07:33 -0500
Organization: J.M. Rodgers Co., Inc.
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk

On Tuesday, March 10, 1998 11:12 AM, Alex Nash [SMTP:nash@Mcs.Net] wrote:
> On Mon, 9 Mar 1998, Mike Tancsa wrote:
[snip]
> > But when I ping the host from the outside, I dont get an ICMP message 
back
> > that its blocked by a filter as I do when ping a different non-FreeBSD
> > hosts (e.g.)
>
> ipfw will not send an ICMP packet in response to an ICMP packet.  Doing 
so
> might result in some nasty endless loops.  One could argue that it would
> make sense to reply with ICMP_UNREACH when the incoming packet was not
> ICMP_UNREACH, but more thought would be required to ensure there weren't
> any endless loop scenarios possible from this (I can't think of any
> off-hand).
>
> Alex
>

How about only reply when the source packet is an ICMP:8 (echo or "ping")? 
 Isn't this the only packet type that by design expects a response (ICMP:0 
echo-reply) (I am not reading from the RFP - so I may be wrong).  We would 
just be responding with a different packet as some other systems already 
do.

I tried to do this a while ago and just never followed up on it.  I will 
have a look at the source and see about a patch *IF* this sounds like a 
reasonable solution.

Any comments?


Max

-----
Max Euston <meuston@jmrodgers.com>
Sysadm, Programmer, etc...


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message