From owner-freebsd-questions@FreeBSD.ORG  Thu Nov  8 10:11:59 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6424316A417
	for <freebsd-questions@freebsd.org>;
	Thu,  8 Nov 2007 10:11:59 +0000 (UTC)
	(envelope-from nvass@teledomenet.gr)
Received: from smtp.teledomenet.gr (smtp.teledomenet.gr [213.142.128.2])
	by mx1.freebsd.org (Postfix) with ESMTP id 0FAC213C48A
	for <freebsd-questions@freebsd.org>;
	Thu,  8 Nov 2007 10:11:58 +0000 (UTC)
	(envelope-from nvass@teledomenet.gr)
Received: by smtp.teledomenet.gr (Postfix, from userid 58)
	id 7E22B142453; Thu,  8 Nov 2007 12:11:51 +0200 (EET)
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on smtp.teledomenet.gr
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham
	version=3.2.3
Received: from iris (unknown [192.168.1.71])
	by smtp.teledomenet.gr (Postfix) with ESMTP id DC07F142460;
	Thu,  8 Nov 2007 12:11:47 +0200 (EET)
From: Nikos Vassiliadis <nvass@teledomenet.gr>
To: freebsd-questions@freebsd.org
Date: Thu, 8 Nov 2007 12:14:16 +0200
User-Agent: KMail/1.9.7
References: <4731E220.3050006@brunel.ac.uk>
In-Reply-To: <4731E220.3050006@brunel.ac.uk>
X-NCC-RegID: gr.telehouse
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200711081214.16533.nvass@teledomenet.gr>
Cc: Malcolm Clarke <malcolm.clarke@brunel.ac.uk>
Subject: Re: IP packet with options
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2007 10:11:59 -0000

On Wednesday 07 November 2007 18:04:48 Malcolm Clarke wrote:
> I have configured a machine with 2 NIC and IPFW in a rather simplistic
> way as we are using it to emulate different link characteristics rather
> than as an actual firewall.
>
> 00100 4 355 pipe 1 ip from any to any via de0 in
> 00200 1  56 pipe 2 ip from any to any via de0 out
> 00300 0   0 pipe 3 ip from any to any via de1 in
> 00400 3 288 pipe 4 ip from any to any via de1 out
> 65535 4 246 deny ip from any to
> any
>
> The configuration works fine and traffic crosses the firewall without
> problem, except ICMP packets having timestamp or routing option, and
> these are not returned.
>
> Is there a way to allow these packets to enter/exit the firewall?

You have to explicitly enable processing of source routed
packets. Forwarding such packets is denied by default.
Use "sysctl net.inet.ip.sourceroute=1". Timestamp requests
are forwarded by default as far as I know.

HTH, Nikos