From nsayer@quack.kfu.com  Wed Apr 30 02:34:32 1997
Received: from quack.kfu.com (0@quack.kfu.com [204.147.226.1])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA18347
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 30 Apr 1997 02:34:30 -0700 (PDT)
Received: from icarus.kfu.com (icarus.kfu.com [204.147.226.3]) by quack.kfu.com (8.8.5/8.6.12) with ESMTP id CAA20751 for <FreeBSD-gnats-submit@freebsd.org>; Wed, 30 Apr 1997 02:34:28 -0700 (PDT)
Received: by icarus.kfu.com 
        (8.8.2//ident-1.0) id CAA07732; Wed, 30 Apr 1997 02:34:27 -0700 (PDT) 
Message-Id: <199704300934.CAA07732@icarus.kfu.com>
Date: Wed, 30 Apr 1997 02:34:27 -0700 (PDT)
From: nsayer@quack.kfu.com
Reply-To: nsayer@quack.kfu.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: IPFIREWALL reject returns port unreachable, not host
X-Send-Pr-Version: 3.2

>Number:         3446
>Category:       kern
>Synopsis:       IPFIREWALL reject returns port unreachable, not host
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu May  1 00:54:09 PDT 1997
>Closed-Date:    Sun Jul 6 12:42:34 PDT 1997
>Last-Modified:  Sun Jul  6 12:43:18 PDT 1997
>Originator:     Nick Sayer
>Release:        FreeBSD 2.2.1-RELEASE i386
>Organization:
Just me
>Environment:

[this is possibly a duplicate PR. I got no ack from the first ]

>Description:

When a reject rule is invoked on a packet, the return is an ICMP
port unreachable. While this is seemingly correct behavior, it
breaks SunOS 4.x. If SunOS receives a port unreachable, it will
disconnect ALL sockets whose remote address matches the ICMP source.
If SunOS receives a host unreachable, it does the right thing.

Yes, this is bogus, but until _everyone_ is running a modern IP
implementation, the correct thing to do is to return a host
unreachable instead. Or at _least_ make it a sysctl or kernel
compile-time option.

>How-To-Repeat:

Code up a reject rule for TCP port 113. Telnet to quack.kfu.com.
Observe that you are connected, then immediately disconnected.
When you telnet to quack, it does an identd probe. The probe is
rejected with a port unreachable. SunOS then disconnects both the
ident probe and the original telnet.

Similarly, you can also connect to anyone running Sendmail configured
to do RFC931 on a Sun and see the same thing.

Yes, passing port 113 instead of rejecting it would work around this
problem, but that's not really the point here.

>Fix:

*** ip_fw.c.orig        Wed Jan 29 05:15:42 1997
--- ip_fw.c     Wed Apr 30 02:19:40 1997
***************
*** 478,484 ****
            && (f->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_DENY
            && (ip->ip_p != IPPROTO_ICMP)
            && (f->fw_flg & IP_FW_F_ICMPRPL)) {
!               icmp_error(*m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0L, 0);
                return -1;
        }
        m_freem(*m);
--- 478,484 ----
            && (f->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_DENY
            && (ip->ip_p != IPPROTO_ICMP)
            && (f->fw_flg & IP_FW_F_ICMPRPL)) {
!               icmp_error(*m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0L, 0);
                return -1;
        }
        m_freem(*m);

>Release-Note:
>Audit-Trail:

From: Bill Fenner <fenner@parc.xerox.com>
To: freebsd-gnats-submit@freebsd.org, nsayer@quack.kfu.com
Cc:  Subject: Re: kern/3446: IPFIREWALL reject returns port unreachable, not host
Date: Mon, 5 May 1997 23:59:25 PDT

 The other way to work around broken TCP implementations is to return
 a TCP RST for a reject rule.
 
   Bill
State-Changed-From-To: open->closed 
State-Changed-By: fenner 
State-Changed-When: Sun Jul 6 12:42:34 PDT 1997 
State-Changed-Why:  
Turns out this is yet another duplicate, for kern/3452. 
I missed that one because it's closed. 
>Unformatted:
