From owner-freebsd-hackers Fri Nov 17 12:10:23 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 039CD37B479 for ; Fri, 17 Nov 2000 12:10:15 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id 5AF4E3E4F; Fri, 17 Nov 2000 21:10:13 +0100 (CET) Date: Fri, 17 Nov 2000 21:10:13 +0100 From: Jesper Skriver To: hackers@FreeBSD.org Subject: React to ICMP administratively prohibited ? Message-ID: <20001117211013.C9227@skriver.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I'm currently looking at how various operating systems react to a 'ICMP administratively prohibited'. My motivation is setup's where access to the primary mailserver is blocked by filters (usually to block open relay's), and all mail has to go via the backup MX, a example from a customer of ours. jesper@freesbee$ host -t mx nemo.dyndns.dk nemo.dyndns.dk mail is handled (pri=10) by nemo.dyndns.dk nemo.dyndns.dk mail is handled (pri=20) by backup-mx.post.tele.dk Here we block access to tcp/25 on nemo.dyndns.dk (a ADSL users), but provide a backup MX for him to use, but when a mailserver wants to send mail to him, they will experience a timeout before sending the mail to backup-mx.post.tele.dk, which can send the mail onwards to nemo.dyndns.dk. This timeout could be avoided if the sending mail server reacted to the 'ICMP administratively prohibited' they got from our router. 20:57:03.799129 193.162.74.6.1071 > 193.89.247.125.25: S 831128672:831128672(0) win 16384 (DF) [tos 0x10] 20:57:03.818322 195.249.14.202 > 193.162.74.6: icmp: host 193.89.247.125 unreachable - admin prohibited filter 20:57:06.797061 193.162.74.6.1071 > 193.89.247.125.25: S 831128672:831128672(0) win 16384 (DF) [tos 0x10] 20:57:06.812424 195.249.14.202 > 193.162.74.6: icmp: host 193.89.247.125 unreachable - admin prohibited filter FreeBSD (as of last saturdays -current atleast) doesn't react to this $ telnet nemo.dyndns.dk 25 Trying 193.89.247.125... Of the other operating systems we've looked at (win2k, linux and solaris), only linux react to this. $ telnet nemo.dyndns.dk 25 Trying 193.89.247.125... telnet: Unable to connect to remote host: No route to host $ uname -a Linux xyz.dk 2.0.32 #1 Wed Nov 19 00:46:45 EST 1997 i586 unknown Wouldn't it be a idea to implement a similar behaviour in FreeBSD ? /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message