From nsayer@quack.kfu.com Wed Apr 30 02:34:32 1997 Received: from quack.kfu.com (0@quack.kfu.com [204.147.226.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA18347 for ; Wed, 30 Apr 1997 02:34:30 -0700 (PDT) Received: from icarus.kfu.com (icarus.kfu.com [204.147.226.3]) by quack.kfu.com (8.8.5/8.6.12) with ESMTP id CAA20751 for ; Wed, 30 Apr 1997 02:34:28 -0700 (PDT) Received: by icarus.kfu.com (8.8.2//ident-1.0) id CAA07732; Wed, 30 Apr 1997 02:34:27 -0700 (PDT) Message-Id: <199704300934.CAA07732@icarus.kfu.com> Date: Wed, 30 Apr 1997 02:34:27 -0700 (PDT) From: nsayer@quack.kfu.com Reply-To: nsayer@quack.kfu.com To: FreeBSD-gnats-submit@freebsd.org Subject: IPFIREWALL reject returns port unreachable, not host X-Send-Pr-Version: 3.2 >Number: 3427 >Category: kern >Synopsis: IPFIREWALL reject returns port unreachable, not host >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Apr 30 02:40:01 PDT 1997 >Closed-Date: Sat Jul 5 11:49:06 PDT 1997 >Last-Modified: Sat Jul 5 11:49:43 PDT 1997 >Originator: Nick Sayer >Release: FreeBSD 2.2.1-RELEASE i386 >Organization: Just me >Environment: [this is possibly a duplicate PR. I got no ack from the first ] >Description: When a reject rule is invoked on a packet, the return is an ICMP port unreachable. While this is seemingly correct behavior, it breaks SunOS 4.x. If SunOS receives a port unreachable, it will disconnect ALL sockets whose remote address matches the ICMP source. If SunOS receives a host unreachable, it does the right thing. Yes, this is bogus, but until _everyone_ is running a modern IP implementation, the correct thing to do is to return a host unreachable instead. Or at _least_ make it a sysctl or kernel compile-time option. >How-To-Repeat: Code up a reject rule for TCP port 113. Telnet to quack.kfu.com. Observe that you are connected, then immediately disconnected. When you telnet to quack, it does an identd probe. The probe is rejected with a port unreachable. SunOS then disconnects both the ident probe and the original telnet. Similarly, you can also connect to anyone running Sendmail configured to do RFC931 on a Sun and see the same thing. Yes, passing port 113 instead of rejecting it would work around this problem, but that's not really the point here. >Fix: *** ip_fw.c.orig Wed Jan 29 05:15:42 1997 --- ip_fw.c Wed Apr 30 02:19:40 1997 *************** *** 478,484 **** && (f->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_DENY && (ip->ip_p != IPPROTO_ICMP) && (f->fw_flg & IP_FW_F_ICMPRPL)) { ! icmp_error(*m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0L, 0); return -1; } m_freem(*m); --- 478,484 ---- && (f->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_DENY && (ip->ip_p != IPPROTO_ICMP) && (f->fw_flg & IP_FW_F_ICMPRPL)) { ! icmp_error(*m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0L, 0); return -1; } m_freem(*m); >Release-Note: >Audit-Trail: State-Changed-From-To: open->closed State-Changed-By: fenner State-Changed-When: Sat Jul 5 11:49:06 PDT 1997 State-Changed-Why: Oops, there's another duplicate (kern/3446) which has not only the patch but also a followup. >Unformatted: