Date: Fri, 1 Aug 2003 17:27:29 +0200 From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no> To: "Michael Sierchio" <kudzu@tenebras.com> Cc: freebsd-ipfw@freebsd.org Subject: RE: Suggestion regarding a new option for IPFW2 Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F07DEFF@exchange.wanglobal.net>
next in thread | raw e-mail | index | archive | help
> > The option to send icmp error messages/tcp resets with src being > > the original destination of the offending packet. > > > > I realize after looking at the src's that this might require a > > separate icmp_error() - please correct me if i'm wrong! > > > > The intent is to "disguise" the source of the error message for > > forwarding firewalls protecting servers. >=20 > This feature already exists. I disagree > natd already does this. It does even better -- it correctly > rewrites the *included* header (the one from the offending > packet). who needs NAT? i got more IP's than i know what to do with. but it's certainly an idea to look what natd does to masquerade the=20 error messages properly. >=20 > That being said, it's certainly correct for an intermediate > router (for example, a firewall) to issue an ICMP unreachable > net-prohib, etc. or to issue a TCP reset, without rewriting. I'm sure it is, but the intent was to disguise the non-pnat firewall in=20 question. for example adding this to my dedicated firewall e.g. unreach port udp from any to MYSERVER as-dest would return a packet saying MYSERVER does not know of any such port. >=20 > This works fine -- several mailing lists I subscribe to > attempt to connect to auth/tcp when I post. My firewall > issues a reset to these connection attempts, and it > gives up and cheerfully accepts my message. are you by any chance using NAT? if you are, then the firewall does not need masking (it already has the public ip and this option would be of little/no use). if not, then you still have the issue of firewalls presence being=20 easily spotted. Thank you for your comments! - Sten
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0AF1BBDF1218F14E9B4CCE414744E70F07DEFF>