From dwh@dwh2.kfu.com  Tue Apr 29 19:37:13 1997
Received: from dwh2.kfu.com (mg136-173.ricochet.net [204.179.136.173])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA27314
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 29 Apr 1997 19:37:08 -0700 (PDT)
Received: (from root@localhost) by dwh2.kfu.com (8.7.6/8.7.3) id TAA00535; Tue, 29 Apr 1997 19:34:32 -0700 (PDT)
Message-Id: <199704300234.TAA00535@dwh2.kfu.com>
Date: Tue, 29 Apr 1997 19:34:32 -0700 (PDT)
From: nsayer@quack.kfu.com
Reply-To: nsayer@quack.kfu.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: ipfw rejected packets respond port unreach instead of host
X-Send-Pr-Version: 3.2

>Number:         3452
>Category:       kern
>Synopsis:       ipfw rejected packets respond port unreach instead of host
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu May  1 00:54:31 PDT 1997
>Closed-Date:    Mon May 5 19:47:54 PDT 1997
>Last-Modified:  Sun Jul  6 12:50:00 PDT 1997
>Originator:     Nick Sayer
>Release:        FreeBSD 2.2-961006-SNAP i386
>Organization:
Just me
>Environment:

>Description:

When IPFIREWALL rejects a packet, it sends an ICMP port unreachable.
While this is correct in theory, the more correct thing to do is
to send _host_ unreachable. Sending port unreachable causes many
systems (notably SunOS 4.x) to close _all_ sockets to your host,
not just the one that was rejected. Sending host unreachable
does the right thing.

Yes, this is rediculous, but until _everyone_ runs with a 4.4BSD IP stack...

>How-To-Repeat:

Set up IPFW to reject port 113. Telnet to quack.kfu.com. You will
connect, then disconnect a second later. Why? The auth daemon
tried to log your auth data, got a port unreachable, and SunOS
in its wisdom cut all of the sockets loose.

If you _deny_ port 113 instead, then web servers out there that
want to collect your auth data will hang for the TCP connect timeout
interval because their SYN packets are being dropped.

Yes, you can just pass port 113, and that fixes auth, but that's
not really the point here.

>Fix:
	
Send host unreachable instead of port.

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: alex 
State-Changed-When: Mon May 5 19:47:54 PDT 1997 
State-Changed-Why:  
Ipfw's behavior is correct, see Stevens TCP/IP Illustrated Vol 1, 
section 21.10: "A received host unreachable or network unreachable 
is effectively ignored, since these two errors are considered 
transient. ... must not abort the connection.  Instead TCP 
keeps trying to send the data that caused the error..." 

Reject should not put the remote host into a state of retry. 


From: Bill Fenner <fenner>
To: freebsd-gnats-submit
Cc:  Subject: Re: kern/3452: ipfw rejected packets respond port unreach instead of host
Date: Sun, 6 Jul 1997 12:43:47 -0700 (PDT)

 See kern/3446's audit-trail for one piece of input.
>Unformatted:
