Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 30 May 1998 23:48:08 +0200
From:      Philippe Regnauld <regnauld@deepo.prosa.dk>
To:        security@deepo.prosa.dk
Cc:        freebsd-net@FreeBSD.ORG
Subject:   ipfw & icmp question
Message-ID:  <19980530234807.14632@deepo.prosa.dk>
next in thread | raw e-mail | index | archive | help 
	[crossposting to -net and -security -- shoot me if necessary]

I am a bit puzzled regarding the following situation:

I have a machine with IPFW setup to send "port unreachable" if
a connection attempt is made on port 113/TCP (identd).  The policy
is default deny.  Here is what happens when I do "telnet host 113"

- from a FreeBSD host (A.B.C.D) to the FreeBSD box (E.F.G.H):

01:35:02.307343 A.B.C.D.2218 > E.F.G.H.113: S 2940925835:2940925835(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) [tos 0x10]
01:35:02.308070 E.F.G.H > A.B.C.D: icmp: E.F.G.H tcp port 113 unreachable (DF)
01:35:04.850388 A.B.C.D.2218 > E.F.G.H.113: S 2940925835:2940925835(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) [tos 0x10]
01:35:04.851237 E.F.G.H > A.B.C.D: icmp: E.F.G.H tcp port 113 unreachable (DF)

  Symptom: the connection is NOT dropped right away, and the
  first host (A.B.C.D) keeps on trying until timeout -- thus
  the packet being sent twice as above)

  Both hosts are 2.2.6

- from a Linux box (W.X.Y.Z) to the same FreeBSD box (E.F.G.H):

01:38:22.901190 W.X.Y.Z.1166 > E.F.G.H.113: S 3448428087:3448428087(0) win 512 <mss 1460>
01:38:22.901969 E.F.G.H > W.X.Y.Z: icmp: E.F.G.H tcp port 113 unreachable

	No problem here, the linux telnet responds:  

	Trying E.F.G.H...
	telnet: Unable to connect to remote host: Connection refused

	... and returns right away.


The IPFW rule is:

add unreach port tcp from any to E.F.G.H 113

... and of course ICMP messages are enabled.

Help ? :-}  I've looked in the O'Reilly book and other sources
but I can't find out this one.

PS: in the /etc/rc.firewall (2.2.6 still), one rule says
for the "Simple firewall setup":

 # Allow DNS queries out in the world
 /sbin/ipfw add pass udp from any 53 to ${oip}
 /sbin/ipfw add pass udp from ${oip} to any 53

This is a but confusing -- from reading the rules, I understand:

"Allow DNS queries, from out in the world, to us", while
the formulation above says "Allow DNS queries from inside/here
out into the world".

My 0.02 Euros^H^HDKK.


-- 
                                            -[ Philippe Regnauld / Sysadmin ]-

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980530234807.14632>