Date: Thu, 8 Nov 2007 12:14:16 +0200 From: Nikos Vassiliadis <nvass@teledomenet.gr> To: freebsd-questions@freebsd.org Cc: Malcolm Clarke <malcolm.clarke@brunel.ac.uk> Subject: Re: IP packet with options Message-ID: <200711081214.16533.nvass@teledomenet.gr> In-Reply-To: <4731E220.3050006@brunel.ac.uk> References: <4731E220.3050006@brunel.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 07 November 2007 18:04:48 Malcolm Clarke wrote: > I have configured a machine with 2 NIC and IPFW in a rather simplistic > way as we are using it to emulate different link characteristics rather > than as an actual firewall. > > 00100 4 355 pipe 1 ip from any to any via de0 in > 00200 1 56 pipe 2 ip from any to any via de0 out > 00300 0 0 pipe 3 ip from any to any via de1 in > 00400 3 288 pipe 4 ip from any to any via de1 out > 65535 4 246 deny ip from any to > any > > The configuration works fine and traffic crosses the firewall without > problem, except ICMP packets having timestamp or routing option, and > these are not returned. > > Is there a way to allow these packets to enter/exit the firewall? You have to explicitly enable processing of source routed packets. Forwarding such packets is denied by default. Use "sysctl net.inet.ip.sourceroute=1". Timestamp requests are forwarded by default as far as I know. HTH, Nikos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711081214.16533.nvass>