*BSD News Article 90382


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.Hawaii.Edu!news.lava.net!coconut!www.nntp.primenet.com!nntp.primenet.com!news.mathworks.com!news.maxwell.syr.edu!news-feed.inet.tele.dk!news.radio.cz!voskovec.radio.cz!newsbastard.radio.cz!news.cesnet.cz!nn.cis.vutbr.cz!rhino.cis.vutbr.cz!newshelp
From: Vladimir Mencl <vmen3237@ss1000.ms.mff.cuni.cz>
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: IPFW sending ICMP_UNREACH_PORT
Date: Wed, 05 Mar 1997 20:13:32 +0100
Organization: Technical University of Brno, Czech Republic
Lines: 36
Message-ID: <331DC5DC.158@ss1000.ms.mff.cuni.cz>
NNTP-Posting-Host: azeroth.kolej.mff.cuni.cz
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 3.01Gold (WinNT; I)
CC: vmen3237@ss1000.ms.mff.cuni.cz
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:36596

We're running a network behind a firewall, the firewall being a
FreeBSD 2.1.5.
The firewall is configured to allow all TCP connections going out, and
reject
all tcp connections from the outside (except for some few exceptions).
   But the FreeBSD IPFW sends ICMP_UNREACH_PORT messages for these
rejected
connections. According to RFC792, a gateway is only allowed to send
Host unreachable or Net unreachble messages. The Port unreachable
message
may be sent only by the host itself.
   Some Linuxes take this problem serious, ignore this ICMP message
and go on trying to connect - especially with smtp connections,
because all incoming mail has to stop at the firewall, which is
the second in priority for all machines inside.
   I have looked into the source code, and I know how to fix it
- changing /usr/src/sys/netinet/ip_fw.c at line 462
 
                       if (f_prt == IP_FW_F_ALL)
                                icmp_error(m, ICMP_UNREACH,
                                        ICMP_UNREACH_HOST, 0L, 0);   
                        else 
                                icmp_error(m, ICMP_UNREACH,
                                        ICMP_UNREACH_PORT, 0L, 0);
                                                     ^^^^ \-- HOST

   But, what I'm asking, is, why does the firewall code contain
what I quotated above? It doesn't look like a bug, it looks like
a intention, but after reading the RFC, I cannot find out
what the intention was.

	Thank for any ideas.

			Vlada Mencl

Please CC any replies to my email vmen3237@ss1000.ms.mff.cuni.cz