Date: Thu, 29 Jun 2000 10:17:11 -0300 (GMT) From: Fernando Schapachnik <fpscha@ns1.via-net-works.net.ar> To: hart@iserver.com (Paul Hart) Cc: fpscha@via-net-works.net.ar, freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions Message-ID: <200006291317.KAA06030@ns1.via-net-works.net.ar> In-Reply-To: <Pine.BSF.4.21.0006281114550.31913-100000@anchovy.orem.iserver.com> from Paul Hart at "Jun 28, 0 11:28:46 am"
next in thread | previous in thread | raw e-mail | index | archive | help
En un mensaje anterior, Paul Hart escribió: > On Wed, 28 Jun 2000, Fernando Schapachnik wrote: > > > > pass out quick on fxp0 proto tcp from any to any keep state > > > pass out quick on fxp0 proto udp from any to any keep state > > > pass out quick on fxp0 proto icmp from any to any keep state > > > > You will also need (al least in 3.4-RELEASE): > > > > pass in quick on fxp0 proto icmp from any to any icmp-type 11 > > > > to let traceroute work. > > No, not in my experience. Try it without your explicit rule to allow ICMP > type 11 packets back in as it does work for me without your rule. > > I had the same concern about how the ICMP time exceeded packets would make > their way back in. Darren Reed kindly commented on how the state tracking > code in IP Filter handles this case. See: > > http://false.net/ipfilter/2000_06/0234.html > http://false.net/ipfilter/2000_06/0235.html Thanks you for claryfing this for me. Seems that I added the rule before upgrading to IP Filter 3.4.6. Regards! Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006291317.KAA06030>