From owner-freebsd-security Thu Jun 8 13:50:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id EB3F437C04E for ; Thu, 8 Jun 2000 13:50:21 -0700 (PDT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.9.3/8.9.3) with ESMTP id RAA26409; Thu, 8 Jun 2000 17:49:10 GMT (envelope-from fgleiser@cactus.fi.uba.ar) Date: Thu, 8 Jun 2000 17:49:10 +0000 (GMT) From: Fernando Gleiser To: Fernando Schapachnik Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFilter question In-Reply-To: <200006071452.LAA16205@ns1.via-net-works.net.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 7 Jun 2000, Fernando Schapachnik wrote: > Hi: > I've read the ipf-howto whose URL was published in the list a > few month ago and used it to construt a FW. Everything was fine except > for: > > Using keep state with icmp doesn't allow traceroutes. The > solution I found was to let icmp types 0 and 11 in. Is this supposed > to work this way or I misconfigured something? Shouldn't `keep state' be > enough to let traceroute work? You don't need to allow icmp type 0. It is covered by the keep state. You also need to allow incoming ICMP type 3 (unreachable) codes 0, 1, 3, 9, 10 and 13 for traceroute to work properly. You also need to allow ICMP type 3 code 4 (unreachable: need to frag) for path MTU discovery to work. If you have further questions, mail me privately and I'll give you my phone number (I live in Bs As also). Fer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message