From owner-freebsd-hackers  Sun Nov 19 16:30:15 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139])
	by hub.freebsd.org (Postfix) with ESMTP id 85E9537B4CF
	for <hackers@FreeBSD.ORG>; Sun, 19 Nov 2000 16:30:05 -0800 (PST)
Received: (qmail 54956 invoked by uid 1000); 20 Nov 2000 00:30:04 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 20 Nov 2000 00:30:04 -0000
Date: Sun, 19 Nov 2000 18:30:04 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: Jesper Skriver <jesper@skriver.dk>
Cc: Alfred Perlstein <bright@wintelcom.net>, hackers@FreeBSD.ORG
Subject: Re: React to ICMP administratively prohibited ?
In-Reply-To: <20001119170042.A18095@skriver.dk>
Message-ID: <Pine.BSF.4.21.0011191822410.54936-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On Sun, 19 Nov 2000, Jesper Skriver wrote:

> A coworker of mine got into "rfc mode" and found the below, as we both
> read it, it says that we MUST treat a ICMP unreachable like a TCP RST.
> 
> ##########
>                                               ... A transport protocol
>             that has its own mechanism for notifying the sender that a
>             port is unreachable (e.g., TCP, which sends RST segments)
>             MUST nevertheless accept an ICMP Port Unreachable for the
>             same purpose.
> ##########
> 
>                     9 = communication with destination network
>                             administratively prohibited
>  
>                    10 = communication with destination host
>                             administratively prohibited

Ok, you've got me convinced, it should be implemented.  <grumble>

There's a problem, though.  Later RFCs say to use 13 instead of 10, as 10
was supposed to be for darpa use only.  Perhaps you should retest the
other OSes and see if they're only responding to one of the two messages.

Ok, back to MXes.  I've thought about it, and I can't think of any good
ways to do your configuration automatically.  Perhaps you could have some
cgi that would allow you to remove yourself from the firewall ruleset,
assuming you were coming from the IP in question.  Or, coming from the
other direction, the cgi could let you add yourself to the static mail
routing table if you were coming from the IP in question.

I assume you're using sendmail's "relay if I'm listed as a MX" feature
right now?

Mike "Silby" Silbersack



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message