From owner-freebsd-security Mon May 28 5:41:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 4B9EB37B423 for ; Mon, 28 May 2001 05:41:38 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 7716 invoked by uid 1000); 28 May 2001 12:40:40 -0000 Date: Mon, 28 May 2001 15:40:40 +0300 From: Peter Pentchev To: Cy Schubert - ITSD Open Systems Group Cc: patl@phoenix.volant.org, Sheldon Hearn , freebsd-security@FreeBSD.ORG Subject: Re: ipfw: reset -vs- unreach port Message-ID: <20010528154040.J588@ringworld.oblivion.bg> Mail-Followup-To: Cy Schubert - ITSD Open Systems Group , patl@phoenix.volant.org, Sheldon Hearn , freebsd-security@FreeBSD.ORG References: <20010528131136.A588@ringworld.oblivion.bg> <200105281233.f4SCXJE11964@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200105281233.f4SCXJE11964@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Mon, May 28, 2001 at 05:33:10AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, May 28, 2001 at 05:33:10AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > In message <20010528131136.A588@ringworld.oblivion.bg>, Peter Pentchev > writes: > > On Mon, May 28, 2001 at 12:03:48PM +0200, Sheldon Hearn wrote: > > > > > > > > > On Mon, 28 May 2001 00:55:45 MST, patl@Phoenix.Volant.ORG wrote: > > > > > > > There are a few 'nuisance' TCP services that are normally blocked by > > > > firewalls (e.g., auth [113] and netbios-ns [137]) In the interest > > > > of reducing the delays which would be imposed by simply dropping > > > > those packets, is it better to use 'reset' (send an RST), 'unreach > > > > port' (send a Port Unreachable ICMP message), or 'unreach filter-prohib' > > > > (send a Filter Prohibition ICMP message) ? > > > > > > Yes. > > > > Uh.. I think the original poster already considered using one of these > > three better than just dropping the packet on the floor, and his question > > was more like which of the three was better :) > > > > IMHO, a simple RST would be best - a classic, old-fashioned 'connection > > refused, no one here' reply, almost no indication that it is actually > > a firewall blocking the attempt, no fear of overly-paranoid firewalls > > dropping stray ICMP packets (and causing the same delay due to no response). > > Yes, I know that no one should block *these* types of ICMP, but the sad > > fact is, some ISP's do. > > Actually, there is indication that there is a firewall by sending a > simple RST. If in fact the firewall is dropping all other packets and > just sending RST for blocked packets destined for port 113, we must > conclude that there is a firewall blocking access. If the firewall > sends a RST to all connection attempts, replies with port-unreachable > to any UDP packets, and replies to all pings, it will appear that a > host is connected but not running any services. Anything other than a > black hole response to everything would make it easy to deduce that a > firewall is in the path. Of course just dropping every blocked packet > will seem to indicate that there is no host or firewall in the path, > but you cannot be selective about this. I was talking about a case when there are no dropped connection attempts, and every 'denied' connection attempt is 'denied' by sending a RST. G'luck, Peter -- This sentence was in the past tense. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message