[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: return-icmp and a particular code



On Mon, Dec 09, 2002 at 05:58:15PM -0500, Michael Lucas wrote:
> I need to be able to return specific ICMP responses to particular
> connection attempts, instead of just "unreachable".  (say, "prohibited
> by filter" or some such.
The type is always "unreachable" (ICMP_UNREACH), but you can choose the
code inside that type:
  net-unr	ICMP_UNREACH_NET
  host-unr	ICMP_UNREACH_HOST
  proto-unr	ICMP_UNREACH_PROTOCOL
  port-unr	ICMP_UNREACH_PORT	(that's the default)
  net-prohib	ICMP_UNREACH_NET_PROHIB
  host-prohib	ICMP_UNREACH_HOST_PROHIB
  etc.
  (complete list is in src/sbin/pfctl/pfctl_parser.c icmp_code[])
and for icmp6
  admin-unr	ICMP6_DST_UNREACH_ADMIN
  addr-unr	ICMP6_DST_UNREACH_ADDR
  port-unr	ICMP6_DST_UNREACH_NOPORT (default)
  etc.
  (same place, icmp6_code[])
For the numeric list, see /usr/include/netinet/ip_icmp.h
> But, try as I might, I cannot specify any ICMP message numbers on the
> line.  Judging from Google, nobody else is trying to specify message 3
> code 9 or such.  How do these need to be formatted?
block return-icmp(net-prohib) in on $ext_if inet all
  or
block return-icmp(9) ...
Daniel