[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: return-rst doesn't return the reset
From:       "Ethy H. Brito" <ethy () inexo ! com ! br>
Date:       2002-08-06 22:55:04
[Download RAW message or body]

On Wed, 7 Aug 2002 00:21:22 +0200
"Daniel Hartmeier" <daniel@benzedrine.cx> wrote:

> On Tue, Aug 06, 2002 at 06:57:08PM -0300, Ethy H. Brito wrote:
> 
> > And what would be the address it (the bridge) is going to put in the
> > packet? The new assigned bridge interface address or the conection
> > originator address? I ask this because ipf has an option
> > (return-icmp-as-dest) that did the trick very well.
> 
> For return-rst, the destination of the blocked packet, and for
> return-icmp, the firewall's address. For some ICMP errors (like
> 'host unreachable'), it makes no sense to use the destination's
> address. 

I can see why the returned packet must have the firewall's ip address in
case of a ICMP error (like 'host unreachable'). But what is not
"understandable" by me is why must the bridge has to have an IP if it
will return the packet with the originator's IP (in the case of
return-rst)?

> An optional 'return-icmp as <ip>' or similar has been suggested
> before, but we haven't found an elegant way to implement it without
> duplicating large chunks of code already found in the stack.

This would be a nice feature since the bridge could 'return-icmp as' the
router that preceeds it (as you say bellow)! (the funny part is that it
seems to be not that difficult to the ignorant! the bridge receives a
packet, blocks it and just revert the orig/dest IP's and send back the
ICMP msg.)

> 
> Most ICMP errors should actually come from a router in front of the
> protected destination (and not the destination itself), some people
> seem to be concerned with advertising the router's address in the ICMP
> error.

That's my concern too. I am a master degree student in Computer Science
and it was asked to us to write a bridge (using OpenBSD) to do this
particular job (return rst/icmp to originators). It seems that the
teacher knows about this "problem" and wants to see what we (students)
will do _OR_ wants us to discover why it doesn't work in a plain bridge
configuration.

Regards

Ethy

[prev in list] [next in list] [prev in thread] [next in thread]