[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: um, wrong
From:       "Richard L. Hamilton" <rlhamil () mindwarp ! smart ! net>
Date:       1997-08-21 16:02:11
[Download RAW message or body]


">" == someone more alert than me
">>" == me

>>  block return-icmp(port-unr) in quick on ipdptp0 proto tcp from any
>>  to any flags S/SA
>> 
>>  would make it look to a denied host as if you weren't listening on the port
> 
> What stack are you aware of that sends icmp port-unr instead
> of RST for an inactive *TCP* port??

I was going to say all of 'em, but after looking in to it, you're right.
It used to be that forcing a TCP reset would result in a remote
*nix system seeing error ECONNRESET, which was the real giveaway, whereas
an ICMP port unreachable would result in ECONNREFUSED.  But now, it looks
like a TCP reset during connection establishment (which is in fact what I
saw snooping a connect to an un-listened-to port) also results in
ECONNREFUSED.  Maybe return-rst used to set a different combination of
flags in addition to the reset flag, I dunno.  Just used to be a giveaway,
and isn't anymore.  Indeed, less of a giveaway to do it with a return-rst,
if someone is watching the packets rather than just the errno of connect()
failures.

So for TCP, I take that back, although for UDP, return-icmp(port-unr)
is probably ok.

[prev in list] [next in list] [prev in thread] [next in thread]