From owner-freebsd-stable Tue Oct 16 14:27:58 2001 Delivered-To: freebsd-stable@freebsd.org Received: from avocet.mail.pas.earthlink.net (avocet.mail.pas.earthlink.net [207.217.121.50]) by hub.freebsd.org (Postfix) with ESMTP id 975B837B40C for ; Tue, 16 Oct 2001 14:27:54 -0700 (PDT) Received: from dialup-209.247.143.200.dial1.sanjose1.level3.net ([209.247.143.200] helo=blossom.cjclark.org) by avocet.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 15tbkO-0003WG-00; Tue, 16 Oct 2001 14:27:49 -0700 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f9GLQH905268; Tue, 16 Oct 2001 14:26:17 -0700 (PDT) (envelope-from cjc) Date: Tue, 16 Oct 2001 14:26:13 -0700 From: "Crist J. Clark" To: Guido van Rooij Cc: freebsd-stable@FreeBSD.ORG Subject: Re: IPFW or IPFILTER? Message-ID: <20011016142613.D4437@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011014180756.A17546@adv.devet.org> <200110141616.f9EGG5x37636@lurza.secnetix.de> <20011016212713.A6881@gvr.gvr.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011016212713.A6881@gvr.gvr.org>; from guido@gvr.org on Tue, Oct 16, 2001 at 09:27:14PM +0200 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Oct 16, 2001 at 09:27:14PM +0200, Guido van Rooij wrote: > On Sun, Oct 14, 2001 at 06:16:05PM +0200, Oliver Fromme wrote: > > > IIRC ipfilter does not allow '_any_ ICMP' in such a case: if you send an > > > 'ICMP echo' with keep-state then only 'ICMP echo reply' packets will be > > > allowed to pass through. > > > > That's bad, because you usually want to see other types of > > ICMP replies, too, such as TTL exceeded, host unreachable, > > communication prohibited etc. > > > > Of course that is allowed in the UDP and TCP cases. However, in the case of > ICMP request packets, you will never get back an ICMP error, because > the protocol forbids sending ICMP errors for ICMP packets. > To quote the rfc: > To avoid the infinite regress of messages about messages > etc., no ICMP messages are sent about ICMP messages. That is not true. An ICMP error is never sent in response to an ICMP _error_ message. You will get various ICMP error messages in response to something like a ping. ICMP-based traceroutes count on this fact. RFC1122 explictly states, An ICMP error message MUST NOT be sent as the result of receiving: * an ICMP error message, or * a datagram destined to an IP broadcast or IP multicast address, or * a datagram sent as a link-layer broadcast, or * a non-initial fragment, or * a datagram whose source address does not define a single host -- e.g., a zero address, a loopback address, a broadcast address, a multicast address, or a Class E address. What types are "ICMP error messages" is defined earlier in the RFC, ICMP messages are grouped into two classes. * ICMP error messages: Destination Unreachable (see Section 3.2.2.1) Redirect (see Section 3.2.2.2) Source Quench (see Section 3.2.2.3) Time Exceeded (see Section 3.2.2.4) Parameter Problem (see Section 3.2.2.5) * ICMP query messages: Echo (see Section 3.2.2.6) Information (see Section 3.2.2.7) Timestamp (see Section 3.2.2.8) Address Mask (see Section 3.2.2.9) It is allowed, and even expected, that ICMP error messages will be generated in response to problematic ICMP query messages. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message