Suggestion regarding a new option for IPFW2
Michael Sierchio
kudzu at tenebras.com
Fri Aug 1 08:15:46 PDT 2003
Sten Daniel Sørsdal wrote:
> I have a humble suggestion to an IPFW2 option.
>
> The option to send icmp error messages/tcp resets with src being
> the original destination of the offending packet.
>
> I realize after looking at the src's that this might require a
> separate icmp_error() - please correct me if i'm wrong!
>
> The intent is to "disguise" the source of the error message for
> forwarding firewalls protecting servers.
This feature already exists.
natd already does this. It does even better -- it correctly
rewrites the *included* header (the one from the offending
packet).
That being said, it's certainly correct for an intermediate
router (for example, a firewall) to issue an ICMP unreachable
net-prohib, etc. or to issue a TCP reset, without rewriting.
This works fine -- several mailing lists I subscribe to
attempt to connect to auth/tcp when I post. My firewall
issues a reset to these connection attempts, and it
gives up and cheerfully accepts my message.
More information about the freebsd-ipfw
mailing list