Date: Fri, 29 Nov 2013 14:13:01 +0100 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> To: Ian FREISLICH <ianf@clue.co.za> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: icmp-type echoreq not matching resulting ttl exceeded Message-ID: <CAPBZQG0HeF%2BiyS90HW=Mbjq3db59Nnd0s9rWv=3S7L6d3o49Zg@mail.gmail.com> In-Reply-To: <E1VmNBM-00019a-4U@clue.co.za> References: <E1VmNBM-00019a-4U@clue.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 29, 2013 at 1:28 PM, Ian FREISLICH <ianf@clue.co.za> wrote: > Hi > > At some point this stopped working. I was able to use traceroute -I > This rule let the echo request out and the resulting TTL exceeded > was matched and allowed back in. > > Which freeBSD version you are testing this? Normally it should just work unless the reply src ip is different from your sent dstip. > pass out inet proto icmp from <ournets> to any icmp-type echoreq I've had to change the rule to the following to keep traceroute going: > > pass out inet proto icmp from <ournets> to any > > Ian > > -- > Ian Freislich > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG0HeF%2BiyS90HW=Mbjq3db59Nnd0s9rWv=3S7L6d3o49Zg>