From owner-freebsd-doc@FreeBSD.ORG Tue Sep 5 19:53:24 2006 Return-Path: X-Original-To: freebsd-doc@freebsd.org Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3335316A719 for ; Tue, 5 Sep 2006 19:53:24 +0000 (UTC) (envelope-from jcarchambeau@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF15143DFE for ; Tue, 5 Sep 2006 19:52:16 +0000 (GMT) (envelope-from jcarchambeau@gmail.com) Received: by wx-out-0506.google.com with SMTP id i27so2371588wxd for ; Tue, 05 Sep 2006 12:52:16 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=IivddxB8BPRMec3AXbCT2hWgl7Kzsfd0Orp2vOFSipsrjz5jBnqBYKvMOmrRcUzeuMfnsESGLXMNtKEmovYr0Ky5VZ7uNiU21S3/CH5nLyz0nSCDKJap0mw8PvFxHeyma0oaf4GS/JFdsjQIDfJpQNDjcoBzU4wWw9VuDIKKQCE= Received: by 10.70.51.17 with SMTP id y17mr10469616wxy; Tue, 05 Sep 2006 12:52:11 -0700 (PDT) Received: by 10.70.128.16 with HTTP; Tue, 5 Sep 2006 12:52:11 -0700 (PDT) Message-ID: Date: Tue, 5 Sep 2006 12:52:11 -0700 From: "John Archambeau" To: "Remko Lodder" In-Reply-To: <200609051159.k85BxO6H049544@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200609051159.k85BxO6H049544@freefall.freebsd.org> Cc: freebsd-doc@freebsd.org Subject: Re: docs/101114: icmptype names not in icmp(4) manpage X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 19:53:24 -0000 I draw your attention to the following paragraph on the manpage for pf.conf (5); icmp-type _type_ code _code_ icmp6-type _type_ code _code_ This rule only applies to ICMP or ICMPv6 packets with the specified type and code. Text names for ICMP types and codes are listed in icmp(4) and icmp6(4). This parameter is only valid for rules that cover protocols ICMP or ICMP6. The protocol and the ICMP type indicator (icmp-type or icmp6-type) must match. To create a pf.conf file (see man pf.conf) properly for filtering of icmp, you must specify the icmptype(s) by abbreviation per the OpenBSD icmp(4) manpage you wish to filter. It's not like ipfw where you can specify the icmptype by number, it must be the type by the abbreviation as specified as by the OpenBSD manpage for icmptypes. Since the pf.conf manpage references the icmptype abbrevations used by both FreeBSD and OpenBSD, the icmp manpage should be the same for both with the icmptype abbreviations. Also if you do a pfctl -sr on a machine running pf instead of ipfw to look at your ruleset, your icmp rules are listed by the icmptype abbreviation in the OpenBSD icmp(4) manpage, not the number as ipfw does. Therefore since it's appears to be an integral requirement of pf, pfctl and pf.conf to reference icmp packets by their type abbreviation the FreeBSD icmp(4) manpage should be updated to reflect this. Here's the output of pfctl -sr with the icmp rules outlined from one of my firewall machines running FreeBSD 6.1; pass in log-all on fxp1 inet proto icmp all icmp-type echorep keep state pass in log-all on fxp1 inet proto icmp all icmp-type unreach keep state pass in log-all on fxp1 inet proto icmp all icmp-type squench keep state pass in log-all on fxp1 inet proto icmp all icmp-type timex keep state pass in log-all on fxp1 inet proto icmp all icmp-type paramprob keep state Note they are by icmptype abbreviation and NOT number code as ipfw has them. On 9/5/06, Remko Lodder wrote: > Synopsis: icmptype names not in icmp(4) manpage > > State-Changed-From-To: open->feedback > State-Changed-By: remko > State-Changed-When: Tue Sep 5 11:57:04 UTC 2006 > State-Changed-Why: > Hello, > > After looking into the ICMP man page you described, I am not > very sure whether your information should be there at all. > > It specifically mentions the kernel interface and there > is no need to have your ICMP information there. > > That the manual page of pf.conf refers to this section > might be a left over from OpenBSD. > > What do others on the list think about this and what does > the submitter think about this? > > Mark the PR into feedback mode for this. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=101114 >