From owner-freebsd-security Sat May 30 14:52:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA10479 for freebsd-security-outgoing; Sat, 30 May 1998 14:52:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA10315 for ; Sat, 30 May 1998 14:51:06 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id XAA01450 for ; Sat, 30 May 1998 23:50:39 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) X-Authentication-Warning: mail.ftf.dk: Host [192.168.100.2] claimed to be mail.prosa.dk Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id XAA16643 for ; Sat, 30 May 1998 23:51:17 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id XAA25176 for freebsd-security@freebsd.org; Sat, 30 May 1998 23:49:42 +0200 (CEST) Message-ID: <19980530234807.14632@deepo.prosa.dk> Date: Sat, 30 May 1998 23:48:08 +0200 From: Philippe Regnauld To: security@deepo.prosa.dk Cc: freebsd-net@FreeBSD.ORG Subject: ipfw & icmp question Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [crossposting to -net and -security -- shoot me if necessary] I am a bit puzzled regarding the following situation: I have a machine with IPFW setup to send "port unreachable" if a connection attempt is made on port 113/TCP (identd). The policy is default deny. Here is what happens when I do "telnet host 113" - from a FreeBSD host (A.B.C.D) to the FreeBSD box (E.F.G.H): 01:35:02.307343 A.B.C.D.2218 > E.F.G.H.113: S 2940925835:2940925835(0) win 16384 (DF) [tos 0x10] 01:35:02.308070 E.F.G.H > A.B.C.D: icmp: E.F.G.H tcp port 113 unreachable (DF) 01:35:04.850388 A.B.C.D.2218 > E.F.G.H.113: S 2940925835:2940925835(0) win 16384 (DF) [tos 0x10] 01:35:04.851237 E.F.G.H > A.B.C.D: icmp: E.F.G.H tcp port 113 unreachable (DF) Symptom: the connection is NOT dropped right away, and the first host (A.B.C.D) keeps on trying until timeout -- thus the packet being sent twice as above) Both hosts are 2.2.6 - from a Linux box (W.X.Y.Z) to the same FreeBSD box (E.F.G.H): 01:38:22.901190 W.X.Y.Z.1166 > E.F.G.H.113: S 3448428087:3448428087(0) win 512 01:38:22.901969 E.F.G.H > W.X.Y.Z: icmp: E.F.G.H tcp port 113 unreachable No problem here, the linux telnet responds: Trying E.F.G.H... telnet: Unable to connect to remote host: Connection refused ... and returns right away. The IPFW rule is: add unreach port tcp from any to E.F.G.H 113 ... and of course ICMP messages are enabled. Help ? :-} I've looked in the O'Reilly book and other sources but I can't find out this one. PS: in the /etc/rc.firewall (2.2.6 still), one rule says for the "Simple firewall setup": # Allow DNS queries out in the world /sbin/ipfw add pass udp from any 53 to ${oip} /sbin/ipfw add pass udp from ${oip} to any 53 This is a but confusing -- from reading the rules, I understand: "Allow DNS queries, from out in the world, to us", while the formulation above says "Allow DNS queries from inside/here out into the world". My 0.02 Euros^H^HDKK. -- -[ Philippe Regnauld / Sysadmin ]- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message