From owner-freebsd-security  Wed Jun 28 10:29:15 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2])
	by hub.freebsd.org (Postfix) with ESMTP id F1B5637B7C7
	for <freebsd-security@FreeBSD.ORG>; Wed, 28 Jun 2000 10:29:07 -0700 (PDT)
	(envelope-from hart@iserver.com)
Received: by gatekeeper.veriohosting.com; Wed, 28 Jun 2000 11:29:06 -0600 (MDT)
Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1)
	id xma005479; Wed, 28 Jun 00 11:28:46 -0600
Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id LAA32143; Wed, 28 Jun 2000 11:28:46 -0600 (MDT)
Date: Wed, 28 Jun 2000 11:28:46 -0600 (MDT)
From: Paul Hart <hart@iserver.com>
X-Sender: hart@anchovy.orem.iserver.com
To: Fernando Schapachnik <fpscha@via-net-works.net.ar>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: icmp type 3 code 4: a couple of questions
In-Reply-To: <200006281303.KAA02473@ns1.via-net-works.net.ar>
Message-ID: <Pine.BSF.4.21.0006281114550.31913-100000@anchovy.orem.iserver.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 28 Jun 2000, Fernando Schapachnik wrote:

> > pass out quick on fxp0 proto tcp from any to any keep state
> > pass out quick on fxp0 proto udp from any to any keep state
> > pass out quick on fxp0 proto icmp from any to any keep state
> 
> You will also need (al least in 3.4-RELEASE):
> 
> pass in quick on fxp0 proto icmp from any to any icmp-type 11
> 
> to let traceroute work.

No, not in my experience.  Try it without your explicit rule to allow ICMP
type 11 packets back in as it does work for me without your rule.

I had the same concern about how the ICMP time exceeded packets would make
their way back in.  Darren Reed kindly commented on how the state tracking
code in IP Filter handles this case.  See:

    http://false.net/ipfilter/2000_06/0234.html
    http://false.net/ipfilter/2000_06/0235.html

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message