From dwh@dwh2.kfu.com  Tue Apr 29 19:37:13 1997
Received: from dwh2.kfu.com (mg136-173.ricochet.net [204.179.136.173])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA27314
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 29 Apr 1997 19:37:08 -0700 (PDT)
Received: (from root@localhost) by dwh2.kfu.com (8.7.6/8.7.3) id TAA00535; Tue, 29 Apr 1997 19:34:32 -0700 (PDT)
Message-Id: <199704300234.TAA00535@dwh2.kfu.com>
Date: Tue, 29 Apr 1997 19:34:32 -0700 (PDT)
From: nsayer@quack.kfu.com
Reply-To: nsayer@quack.kfu.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: ipfw rejected packets respond port unreach instead of host
X-Send-Pr-Version: 3.2

>Number:         3423
>Category:       kern
>Synopsis:       ipfw rejected packets respond port unreach instead of host
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 29 19:40:01 PDT 1997
>Closed-Date:    Sat Jul 5 11:47:31 PDT 1997
>Last-Modified:  Sat Jul  5 11:47:57 PDT 1997
>Originator:     Nick Sayer
>Release:        FreeBSD 2.2-961006-SNAP i386
>Organization:
Just me
>Environment:

>Description:

When IPFIREWALL rejects a packet, it sends an ICMP port unreachable.
While this is correct in theory, the more correct thing to do is
to send _host_ unreachable. Sending port unreachable causes many
systems (notably SunOS 4.x) to close _all_ sockets to your host,
not just the one that was rejected. Sending host unreachable
does the right thing.

Yes, this is rediculous, but until _everyone_ runs with a 4.4BSD IP stack...

>How-To-Repeat:

Set up IPFW to reject port 113. Telnet to quack.kfu.com. You will
connect, then disconnect a second later. Why? The auth daemon
tried to log your auth data, got a port unreachable, and SunOS
in its wisdom cut all of the sockets loose.

If you _deny_ port 113 instead, then web servers out there that
want to collect your auth data will hang for the TCP connect timeout
interval because their SYN packets are being dropped.

Yes, you can just pass port 113, and that fixes auth, but that's
not really the point here.

>Fix:
	
Send host unreachable instead of port.

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: fenner 
State-Changed-When: Sat Jul 5 11:47:31 PDT 1997 
State-Changed-Why:  
Duplicate, see kern/3427 which includes a patch in the Fix: section. 
>Unformatted:
