[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: um, wrong
From: "Richard L. Hamilton" <rlhamil () mindwarp ! smart ! net>
Date: 1997-08-21 16:02:11
[Download RAW message or body]
">" == someone more alert than me
">>" == me
>> block return-icmp(port-unr) in quick on ipdptp0 proto tcp from any
>> to any flags S/SA
>>
>> would make it look to a denied host as if you weren't listening on the port
>
> What stack are you aware of that sends icmp port-unr instead
> of RST for an inactive *TCP* port??
I was going to say all of 'em, but after looking in to it, you're right.
It used to be that forcing a TCP reset would result in a remote
*nix system seeing error ECONNRESET, which was the real giveaway, whereas
an ICMP port unreachable would result in ECONNREFUSED. But now, it looks
like a TCP reset during connection establishment (which is in fact what I
saw snooping a connect to an un-listened-to port) also results in
ECONNREFUSED. Maybe return-rst used to set a different combination of
flags in addition to the reset flag, I dunno. Just used to be a giveaway,
and isn't anymore. Indeed, less of a giveaway to do it with a return-rst,
if someone is watching the packets rather than just the errno of connect()
failures.
So for TCP, I take that back, although for UDP, return-icmp(port-unr)
is probably ok.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic