From owner-freebsd-net Mon Jun 1 20:28:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA23109 for freebsd-net-outgoing; Mon, 1 Jun 1998 20:28:51 -0700 (PDT) (envelope-from owner-freebsd-net@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (0@passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA23068 for ; Mon, 1 Jun 1998 20:28:34 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.0/8.6.10) id UAA02417; Mon, 1 Jun 1998 20:28:32 -0700 (PDT) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdaaclva; Mon Jun 1 20:28:23 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.0/8.6.10) id UAA05707; Mon, 1 Jun 1998 20:28:18 -0700 (PDT) Message-Id: <199806020328.UAA05707@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdRa5699; Mon Jun 1 20:27:42 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Philippe Regnauld cc: security@deepo.prosa.dk, freebsd-net@FreeBSD.ORG Subject: Re: ipfw & icmp question In-reply-to: Your message of "Sat, 30 May 1998 23:48:08 +0200." <19980530234807.14632@deepo.prosa.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 01 Jun 1998 20:27:41 -0700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > [crossposting to -net and -security -- shoot me if necessary] > > I am a bit puzzled regarding the following situation: > > I have a machine with IPFW setup to send "port unreachable" if > a connection attempt is made on port 113/TCP (identd). The policy > is default deny. Here is what happens when I do "telnet host 113" > > - from a FreeBSD host (A.B.C.D) to the FreeBSD box (E.F.G.H): > > 01:35:02.307343 A.B.C.D.2218 > E.F.G.H.113: S 2940925835:2940925835(0) win 16 384 (DF) [tos 0x10] > 01:35:02.308070 E.F.G.H > A.B.C.D: icmp: E.F.G.H tcp port 113 unreachable (DF ) > 01:35:04.850388 A.B.C.D.2218 > E.F.G.H.113: S 2940925835:2940925835(0) win 16 384 (DF) [tos 0x10] > 01:35:04.851237 E.F.G.H > A.B.C.D: icmp: E.F.G.H tcp port 113 unreachable (DF ) > > Symptom: the connection is NOT dropped right away, and the > first host (A.B.C.D) keeps on trying until timeout -- thus > the packet being sent twice as above) > > Both hosts are 2.2.6 Digital UNIX 4.0B behaves the same as above. > > - from a Linux box (W.X.Y.Z) to the same FreeBSD box (E.F.G.H): > > 01:38:22.901190 W.X.Y.Z.1166 > E.F.G.H.113: S 3448428087:3448428087(0) win 51 2 > 01:38:22.901969 E.F.G.H > W.X.Y.Z: icmp: E.F.G.H tcp port 113 unreachable > > No problem here, the linux telnet responds: > > Trying E.F.G.H... > telnet: Unable to connect to remote host: Connection refused > > ... and returns right away. > Solaris 2.5 behaves the same as above. I would think that with a rule like, ipfw add 1 unreach port tcp from any to any 23, that the Solaris and Linux telnet clients respond with "connection refused" immediately would be the correct action rather than waiting for five port unreachable ICMP messages before terminating the connection attempt. Is there a sysctl variable that needs to be set to change this behavior? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message