Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!caen!spool.mu.edu!agate!agate!glass
From: glass@postgres.Berkeley.EDU (Adam Glass)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: well-behaved firewalls
Message-ID: <GLASS.91Jun20153935@erewhon.postgres.Berkeley.EDU>
Date: 20 Jun 91 23:39:35 GMT
References: <BOB.91Jun17182958@volitans.MorningStar.Com>
Sender: usenet@agate.berkeley.edu (USENET Administrator)
Organization: Organization is evil.
Lines: 57
In-Reply-To: bob@MorningStar.Com's message of Mon, 17 Jun 91 22: 21:24 GMT


In article <BOB.91Jun17182958@volitans.MorningStar.Com> Bob Sutterfield writes:
   When a gateway is configured as a firewall, what is the polite thing
   to do about those packets that aren't passed?  The packet itself
   should be dropped on the floor, but should the originating system be
   told anything about it?

   Suppose 25/tcp (SMTP) is allowed through but 23/tcp (Telnet) is
   blocked.  Should the gateway return a Host Unreachable in response to
   a telnet request?  Or maybe only a Port Unreachable or Protocol
   Unreachable, which would leave the originator wondering what other
   ports might be reachable or which protocols might be passed?  RFC792
   says that the destination host may send the Unreachable message back
   to the source host, but implies that only a host may send a Port or
   Protocol unreachable.  Should the firewall, since it's assuming the
   filtering responsibility, also assume responsibility for the ICMP
   returns?

   RFC1009 doesn't seem to address this area except to suggest in 4.4
   that address filters be supported, so I must rely on precedent for
   protocol filter behavior.  What is polite?  What is common?

The Host Requirements RFCs (rfc1122 and the other one) define 6 new codes for use in the ICMP Destination Unreachable datagrams.  these are 
                    6 = destination network unknown
                    7 = destination host unknown
                    8 = source host isolated
                    9 = communication with destination network
                            administratively prohibited
                   10 = communication with destination host
                            administratively prohibited
                   11 = network unreachable for type of service
                   12 = host unreachable for type of service

Unfortunately, I don't think much software actually understands these
yet.  9, and 10 are much more explicit and truthful than 'host unreachable'.
What an older implementation might do with an unknown code is anybody's guess.

I've also seen 'network down' used by a cisco box somewhere.

BTW: are you doing a hacking a 4.X bsd tcp-ip implementation to do
     packet filtering?

later,
Adam Glass










--
Adam Glass                           |Internet: glass@postgres.Berkeley.EDU
various roles at Berkeley	     |Home    : glass@Chaos.org