Date: Tue, 10 Mar 1998 10:12:21 -0600 (CST) From: Alex Nash <nash@Mcs.Net> To: Mike Tancsa <mike@sentex.net> Cc: stable@FreeBSD.ORG Subject: Re: ipfw unreach statement help Message-ID: <Pine.BSF.3.95.980310093004.406A-100000@Jupiter.Mcs.Net> In-Reply-To: <3.0.2.32.19980309214144.00c75100@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 9 Mar 1998, Mike Tancsa wrote: > On a FreeBSD 2.2-980304-SNAP machine, I added the following > > ipfw add 02007 unreach 13 log icmp from any to any in recv ed0 icmptype 8 > > which shows up as > 02007 7 588 unreach filter-prohib log icmp from any to any > in recv ed0 icmptype 8 > > > But when I ping the host from the outside, I dont get an ICMP message back > that its blocked by a filter as I do when ping a different non-FreeBSD > hosts (e.g.) ipfw will not send an ICMP packet in response to an ICMP packet. Doing so might result in some nasty endless loops. One could argue that it would make sense to reply with ICMP_UNREACH when the incoming packet was not ICMP_UNREACH, but more thought would be required to ensure there weren't any endless loop scenarios possible from this (I can't think of any off-hand). Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980310093004.406A-100000>