[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPNAT/IPF redirect visibility

To: misc_(_at_)_openbsd_(_dot_)_org, ipfilter_(_at_)_coombs_(_dot_)_anu_(_dot_)_edu_(_dot_)_au
Subject: Re: IPNAT/IPF redirect visibility
From: Rémi Guyomarch <rguyom_(_at_)_pobox_(_dot_)_com>
Date: Sat, 9 Jun 2001 11:20:16 +0200

On Wed, Jun 06, 2001 at 11:59:37AM -0400, John Pavlakis wrote:

> > > block return-icmp-as-dest(port-unr) in log quick on ep1
> > > proto icmp all group 10
> > 
> > Never do that. Imagine I have the same rule on my firewall and I ping
> > you.
> 
> I already have a keep state entry for outgoing icmp. Would that be ok then?

Yes and no.

I don't think it's RFC-compliant to send an icmp error to an icmp
query, even more to send an icmp error to an icmp error.
Either you send the right icmp answer for the icmp query you got, or
you drop the packet on the floor.

Comments anyone ?

-- 
Rémi

Prev by Date: Re: Mysql
Next by Date: Re: OT: webhosting considerations
Previous by thread: Re: IPNAT/IPF redirect visibility
Next by thread: Exuse me?
Index(es):
- Date
- Thread

Visit your host, monkey.org