From nsayer@quack.kfu.com  Wed Apr 30 02:34:32 1997
Received: from quack.kfu.com (0@quack.kfu.com [204.147.226.1])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA18347
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 30 Apr 1997 02:34:30 -0700 (PDT)
Received: from icarus.kfu.com (icarus.kfu.com [204.147.226.3]) by quack.kfu.com (8.8.5/8.6.12) with ESMTP id CAA20751 for <FreeBSD-gnats-submit@freebsd.org>; Wed, 30 Apr 1997 02:34:28 -0700 (PDT)
Received: by icarus.kfu.com 
        (8.8.2//ident-1.0) id CAA07732; Wed, 30 Apr 1997 02:34:27 -0700 (PDT) 
Message-Id: <199704300934.CAA07732@icarus.kfu.com>
Date: Wed, 30 Apr 1997 02:34:27 -0700 (PDT)
From: nsayer@quack.kfu.com
Reply-To: nsayer@quack.kfu.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: IPFIREWALL reject returns port unreachable, not host
X-Send-Pr-Version: 3.2

>Number:         3427
>Category:       kern
>Synopsis:       IPFIREWALL reject returns port unreachable, not host
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 30 02:40:01 PDT 1997
>Closed-Date:    Sat Jul 5 11:49:06 PDT 1997
>Last-Modified:  Sat Jul  5 11:49:43 PDT 1997
>Originator:     Nick Sayer
>Release:        FreeBSD 2.2.1-RELEASE i386
>Organization:
Just me
>Environment:

[this is possibly a duplicate PR. I got no ack from the first ]

>Description:

When a reject rule is invoked on a packet, the return is an ICMP
port unreachable. While this is seemingly correct behavior, it
breaks SunOS 4.x. If SunOS receives a port unreachable, it will
disconnect ALL sockets whose remote address matches the ICMP source.
If SunOS receives a host unreachable, it does the right thing.

Yes, this is bogus, but until _everyone_ is running a modern IP
implementation, the correct thing to do is to return a host
unreachable instead. Or at _least_ make it a sysctl or kernel
compile-time option.

>How-To-Repeat:

Code up a reject rule for TCP port 113. Telnet to quack.kfu.com.
Observe that you are connected, then immediately disconnected.
When you telnet to quack, it does an identd probe. The probe is
rejected with a port unreachable. SunOS then disconnects both the
ident probe and the original telnet.

Similarly, you can also connect to anyone running Sendmail configured
to do RFC931 on a Sun and see the same thing.

Yes, passing port 113 instead of rejecting it would work around this
problem, but that's not really the point here.

>Fix:

*** ip_fw.c.orig        Wed Jan 29 05:15:42 1997
--- ip_fw.c     Wed Apr 30 02:19:40 1997
***************
*** 478,484 ****
            && (f->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_DENY
            && (ip->ip_p != IPPROTO_ICMP)
            && (f->fw_flg & IP_FW_F_ICMPRPL)) {
!               icmp_error(*m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0L, 0);
                return -1;
        }
        m_freem(*m);
--- 478,484 ----
            && (f->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_DENY
            && (ip->ip_p != IPPROTO_ICMP)
            && (f->fw_flg & IP_FW_F_ICMPRPL)) {
!               icmp_error(*m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0L, 0);
                return -1;
        }
        m_freem(*m);

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: fenner 
State-Changed-When: Sat Jul 5 11:49:06 PDT 1997 
State-Changed-Why:  
Oops, there's another duplicate (kern/3446) which has 
not only the patch but also a followup. 
>Unformatted:
