pf and return-rst & return-icmp Huh?

pf and return-rst & return-icmp Huh?

Post by mr_sca » Sat, 26 Oct 2002 10:20:35



I am tyring to build a nice pf.conf and I often see references to
return-rst and return-icmp.

The pf.conf man page mentions them but doesn't explain them.  RFC for
icmp doesn't mention them, explicitly anyway.

Can someone direct me to some intelligible source that explains these
things and why they are often blocked via firewalls.  I have an idea
but my policy is to be as complete in my understanding as possible.

TIA

 
 
 

pf and return-rst & return-icmp Huh?

Post by Marc » Sat, 26 Oct 2002 21:12:34



> I am tyring to build a nice pf.conf and I often see references to
> return-rst and return-icmp.

> The pf.conf man page mentions them but doesn't explain them.  RFC for
> icmp doesn't mention them, explicitly anyway.

> Can someone direct me to some intelligible source that explains these
> things and why they are often blocked via firewalls.  I have an idea
> but my policy is to be as complete in my understanding as possible.

Actually these are NOT blocked by the firewall but they are USED as an
"action" by the firewall with a block rule. They actually say the
firewall to be polite to the client: when a rule is blocked the firewall
will return a a TCP packet with the RESET (for return-rst) flag set,
this will make the client immediately close the connection instead of
simply timing-out.

If I remember correctly return-icmp will make the firewall return icmp
port unreachable message to the client. Please someone correct me if I
am telling gargabe...

It's simply a way for the firewall to be polite to the client. It's up
to you to see if you want to use these or not. Personally I don't use
them I simply don't care.

Regards

 
 
 

pf and return-rst & return-icmp Huh?

Post by nob.. » Sun, 27 Oct 2002 02:38:26


I can't think of where I've seen a site that gives details (the best place
to look would probably be packet-filter how-tos) but here is a quick
explanation:

The normal 'block' option just drops a packet. The packet sender
has no idea what happened to the packet, because it received no
response. Thus it will sit and wait for a timeout, and thus might
resend a few times before giving up. For a TCP packet 'block
return-rst' means the firewall will send a response back to the packet
originator in essence telling it that its request for a connection
just isn't going to happen (i.e. don't waste your time waiting around).
If you are keeping state on inbound connections, and using the
'flags S/SA' option, than I can't see that you should have to worry
about abuse from incoming tcp-resets. (Outgoing can be another
matter though -- As I recall for some sneaky half-open port scans,
any kind of response such as a tcp-reset may give all the information
the person probing is looking for, but rumour has it pf's authors
know more about these tricks than we mere mortals, and take them into
account =)

The 'block return-icmp' is similar, but is also suited to icmp/udp
type packets. Sometimes you don't want to just drop the packet
without sending a response, particularly in the case of any outbound
connections that you are blocking. (For example it can be annoying
to have your web-browser waiting around for a connection it isn't
going to get because the reponse is blocked at firewall and can't
get though).

Both types of packets have some potential to be abused for port-scans,
finger-prints and/or DoS attacks -- I don't remember all the details.
Note that there are numerous 'types' of ICMP packets, with varying
potential for abuse. Not letting the 'destination unreachable' type
of ICMP packet above through your firewall usually isn't worth it
(abuse is very unlikely).

This probably isn't as much detail as you would like, but for a
firewall it is all you really need to know. In essense, use the
'return' option if you don't want a packet sender to wait around
or keep trying to send to something you have blocked. And don't go out
of your way to block all 'unreachable' type ICMP packets, it isn't worth
the performance hit (actually I think Pf's state keeping functionality
handles these things intelligently anyway ... someone correct me if I'm
wrong).

I hope this helps...


> I am tyring to build a nice pf.conf and I often see references to
> return-rst and return-icmp.
> The pf.conf man page mentions them but doesn't explain them.  RFC for
> icmp doesn't mention them, explicitly anyway.
> Can someone direct me to some intelligible source that explains these
> things and why they are often blocked via firewalls.  I have an idea
> but my policy is to be as complete in my understanding as possible.
> TIA

 
 
 

1. ipfilter block return-rst and ipnat rdr

I have a problem
In my lan there are few computers. OpenBSD 2.9 is the main router. All
computers are NAT'ed. One of them contains a server for something. I used
ipnat to assign a port for redirections:

rdr tun0 0.0.0.0/0 port 10200 -> 192.168.2.6 port 10200 tcp/udp

for security reasons i used ipf to block few ports:

# netbios
block return-rst in log quick on tun0 proto tcp from any to any port = 139
# sunrpc
block return-rst in log quick on tun0 proto tcp from any to any port = 111

i used the return-rst option for maximum security (without that the port is
still visible by most port scanners).
I wanted also to block that redirected port:

block return-rst in log quick on tun0 proto tcp from any to any port = 10200

but the return-rst doesn't work here.

any ideas? is it possible to make it working as I described?

sincerely
Lukasz Biegaj

2. Mouse stops after leaving X

3. ddi_dma_buf_setup returns DMA_NOMAPPING (huh?)

4. FreeBSD and HP DAT Driv(35480A) incompatible?

5. The return of the return of crunch time (2.5 merge candidate list 1.6)

6. dvips in Slackware 2.0.2 broken? (Dave Linder)

7. Problem: Command substitution adds an extra carriage return character on return.

8. IF_ENQUEUE and IF_DEQUEUE

9. Select returns data available read returns no data

10. KernelJanitor: Convert remaining error returns to return -E Linux 2.5.68

11. When do read() return 0 despite that select() returned 1

12. Help: Returning a return code to a program

13. Change "return EBLAH" to "return -EBLAH in drivers/*