[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kernel/1816: Repetable crashes of ipfilter code

To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
Subject: Re: kernel/1816: Repetable crashes of ipfilter code
From: "Crist Clark" <crist.clark@globalstar.com>
Date: Tue, 08 May 2001 10:10:45 -0700
Cc: Camiel Dobbelaar <dobbe@xs4all.nl>,Przemyslaw Frasunek <venglin@freebsd.lublin.pl>, bugs@openbsd.org,ipfilter@coombs.anu.edu.au
Organization: Globalstar LP
References: <200105081430.f48EU1e22369@cwsys.cwsent.com>

Cy Schubert - ITSD Open Systems Group wrote:
> 
> On a FreeBSD system I get:
> 
> PING cwsys (10.1.1.1): 56 data bytes
> 36 bytes from cwsys (10.1.1.1): Destination Net Unreachable
> Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
>  4  5  00 0054 f121   0 0000  ff  01 b482 10.1.1.2  10.1.1.1
> 
> 36 bytes from cwsys (10.1.1.1): Destination Net Unreachable
> Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
>  4  5  00 0054 f136   0 0000  ff  01 b46d 10.1.1.2  10.1.1.1
> 
> Having said that, your rule,
> 
>         block return-icmp in proto icmp from any to any
> 
> ... is invalid.  You should not return an ICMP for a blocked ICMP, as
> it would cause an ICMP storm.  I cannot recall which RFC states that
> this should not be done, maybe someone on the list can quote the RFC
> number.

As someone pointed out, this is only partially true. The RFC in question
is RFC 1122, "Requirements for Internet Hosts -- Communication Layers,"
and it is technically not just an RFC but a Standard (STD3),

         An ICMP error message MUST NOT be sent as the result of
         receiving:

         *    an ICMP error message, or

         *    a datagram destined to an IP broadcast or IP multicast
              address, or

         *    a datagram sent as a link-layer broadcast, or

         *    a non-initial fragment, or

         *    a datagram whose source address does not define a single
              host -- e.g., a zero address, a loopback address, a
              broadcast address, a multicast address, or a Class E
              address.

         NOTE: THESE RESTRICTIONS TAKE PRECEDENCE OVER ANY REQUIREMENT
         ELSEWHERE IN THIS DOCUMENT FOR SENDING ICMP ERROR MESSAGES.

And for completeness, "ICMP error messages" are defined in the same RFC
as,

              ICMP error messages:

               Destination Unreachable   (see Section 3.2.2.1)
               Redirect                  (see Section 3.2.2.2)
               Source Quench             (see Section 3.2.2.3)
               Time Exceeded             (see Section 3.2.2.4)
               Parameter Problem         (see Section 3.2.2.5)

-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com

References:
- Re: kernel/1816: Repetable crashes of ipfilter code
  - From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>

Prev by Date: Re: kernel/1816: Repetable crashes of ipfilter code
Next by Date: Re: kernel/1804
Prev by thread: Re: kernel/1816: Repetable crashes of ipfilter code
Next by thread: Re: kernel/1816: Repetable crashes of ipfilter code
Index(es):
- Date
- Thread