Date: Mon, 20 Nov 2000 22:23:30 +0100 From: Jesper Skriver <jesper@skriver.dk> To: Mike Silbersack <silby@silby.com> Cc: hackers@FreeBSD.ORG Subject: Re: React to ICMP administratively prohibited ? Message-ID: <20001120222330.A66051@skriver.dk> In-Reply-To: <Pine.BSF.4.21.0011191822410.54936-100000@achilles.silby.com>; from silby@silby.com on Sun, Nov 19, 2000 at 06:30:04PM -0600 References: <20001119170042.A18095@skriver.dk> <Pine.BSF.4.21.0011191822410.54936-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 19, 2000 at 06:30:04PM -0600, Mike Silbersack wrote: > > On Sun, 19 Nov 2000, Jesper Skriver wrote: > > > A coworker of mine got into "rfc mode" and found the below, as we both > > read it, it says that we MUST treat a ICMP unreachable like a TCP RST. > > > > ########## > > ... A transport protocol > > that has its own mechanism for notifying the sender that a > > port is unreachable (e.g., TCP, which sends RST segments) > > MUST nevertheless accept an ICMP Port Unreachable for the > > same purpose. > > ########## > > > > 9 = communication with destination network > > administratively prohibited > > > > 10 = communication with destination host > > administratively prohibited > > Ok, you've got me convinced, it should be implemented. <grumble> > > There's a problem, though. Later RFCs say to use 13 instead of 10, as 10 > was supposed to be for darpa use only. My code reacts to all 3. > Perhaps you should retest the other OSes and see if they're only responding > to one of the two messages. I could do this, but does it make much difference ? > Ok, back to MXes. I've thought about it, and I can't think of any good > ways to do your configuration automatically. Perhaps you could have some > cgi that would allow you to remove yourself from the firewall ruleset, > assuming you were coming from the IP in question. Or, coming from the > other direction, the cgi could let you add yourself to the static mail > routing table if you were coming from the IP in question. This would be a option, but it would probably still require more support and manpower than the current solution. > I assume you're using sendmail's "relay if I'm listed as a MX" feature > right now? No, I'm actually using postfix, and a addition I wrote myself, from a previous email in this thread ... This is ensured by a patch(*) I wrote for postfix, from sample-smtpd.cf # permit_auth_mx_backup: accept mail if all ip address(es) of the primary MX is # within $auth_mx_backup_networks, See auth_mx_backup_networks # # The auth_mx_backup_networks parameter specifies a list of networks # where Postfix will act as a backup MX host if the primary MX is # within these networks, and permit_auth_mx_backup is configured. # # The list is used by the anti-UCE software. See permit_auth_mx_backup # in the sample-smtpd.cf file. *) <http://freesbee.wheel.dk/~jesper/permit_auth_mx_backup.20001030.diff>; See the postfix.users archive for history (the above patch is the same, only relative to 20001030 instead of 20000531. <http://x71.deja.com/[ST_rn=ps]/getdoc.xp?AN=648703086&CONTEXT=974559861.626524165&hitnum=26>; /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001120222330.A66051>