On Wed, 7 Aug 2002 00:21:22 +0200 "Daniel Hartmeier" <[EMAIL PROTECTED]> wrote:
> On Tue, Aug 06, 2002 at 06:57:08PM -0300, Ethy H. Brito wrote: > > > And what would be the address it (the bridge) is going to put in the > > packet? The new assigned bridge interface address or the conection > > originator address? I ask this because ipf has an option > > (return-icmp-as-dest) that did the trick very well. > > For return-rst, the destination of the blocked packet, and for > return-icmp, the firewall's address. For some ICMP errors (like > 'host unreachable'), it makes no sense to use the destination's > address. I can see why the returned packet must have the firewall's ip address in case of a ICMP error (like 'host unreachable'). But what is not "understandable" by me is why must the bridge has to have an IP if it will return the packet with the originator's IP (in the case of return-rst)? > An optional 'return-icmp as <ip>' or similar has been suggested > before, but we haven't found an elegant way to implement it without > duplicating large chunks of code already found in the stack. This would be a nice feature since the bridge could 'return-icmp as' the router that preceeds it (as you say bellow)! (the funny part is that it seems to be not that difficult to the ignorant! the bridge receives a packet, blocks it and just revert the orig/dest IP's and send back the ICMP msg.) > > Most ICMP errors should actually come from a router in front of the > protected destination (and not the destination itself), some people > seem to be concerned with advertising the router's address in the ICMP > error. That's my concern too. I am a master degree student in Computer Science and it was asked to us to write a bridge (using OpenBSD) to do this particular job (return rst/icmp to originators). It seems that the teacher knows about this "problem" and wants to see what we (students) will do _OR_ wants us to discover why it doesn't work in a plain bridge configuration. Regards Ethy
