Date: Mon, 01 Jun 1998 20:27:41 -0700 From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> To: Philippe Regnauld <regnauld@deepo.prosa.dk> Cc: security@deepo.prosa.dk, freebsd-net@FreeBSD.ORG Subject: Re: ipfw & icmp question Message-ID: <199806020328.UAA05707@cwsys.cwsent.com> In-Reply-To: Your message of "Sat, 30 May 1998 23:48:08 %2B0200." <19980530234807.14632@deepo.prosa.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
> [crossposting to -net and -security -- shoot me if necessary] > > I am a bit puzzled regarding the following situation: > > I have a machine with IPFW setup to send "port unreachable" if > a connection attempt is made on port 113/TCP (identd). The policy > is default deny. Here is what happens when I do "telnet host 113" > > - from a FreeBSD host (A.B.C.D) to the FreeBSD box (E.F.G.H): > > 01:35:02.307343 A.B.C.D.2218 > E.F.G.H.113: S 2940925835:2940925835(0) win 16 384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) [tos 0x10] > 01:35:02.308070 E.F.G.H > A.B.C.D: icmp: E.F.G.H tcp port 113 unreachable (DF ) > 01:35:04.850388 A.B.C.D.2218 > E.F.G.H.113: S 2940925835:2940925835(0) win 16 384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) [tos 0x10] > 01:35:04.851237 E.F.G.H > A.B.C.D: icmp: E.F.G.H tcp port 113 unreachable (DF ) > > Symptom: the connection is NOT dropped right away, and the > first host (A.B.C.D) keeps on trying until timeout -- thus > the packet being sent twice as above) > > Both hosts are 2.2.6 Digital UNIX 4.0B behaves the same as above. > > - from a Linux box (W.X.Y.Z) to the same FreeBSD box (E.F.G.H): > > 01:38:22.901190 W.X.Y.Z.1166 > E.F.G.H.113: S 3448428087:3448428087(0) win 51 2 <mss 1460> > 01:38:22.901969 E.F.G.H > W.X.Y.Z: icmp: E.F.G.H tcp port 113 unreachable > > No problem here, the linux telnet responds: > > Trying E.F.G.H... > telnet: Unable to connect to remote host: Connection refused > > ... and returns right away. > Solaris 2.5 behaves the same as above. I would think that with a rule like, ipfw add 1 unreach port tcp from any to any 23, that the Solaris and Linux telnet clients respond with "connection refused" immediately would be the correct action rather than waiting for five port unreachable ICMP messages before terminating the connection attempt. Is there a sysctl variable that needs to be set to change this behavior? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806020328.UAA05707>