From owner-freebsd-security  Thu Jun 29  6:19:15 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10])
	by hub.freebsd.org (Postfix) with ESMTP id C2BFC37B87C
	for <freebsd-security@FreeBSD.ORG>; Thu, 29 Jun 2000 06:19:03 -0700 (PDT)
	(envelope-from fpscha@ns1.via-net-works.net.ar)
Received: (from fpscha@localhost)
	by ns1.via-net-works.net.ar (8.9.3/8.9.3) id KAA06030;
	Thu, 29 Jun 2000 10:17:12 -0300 (GMT)
From: Fernando Schapachnik <fpscha@ns1.via-net-works.net.ar>
Message-Id: <200006291317.KAA06030@ns1.via-net-works.net.ar>
Subject: Re: icmp type 3 code 4: a couple of questions
In-Reply-To: <Pine.BSF.4.21.0006281114550.31913-100000@anchovy.orem.iserver.com> from Paul Hart at "Jun 28, 0 11:28:46 am"
To: hart@iserver.com (Paul Hart)
Date: Thu, 29 Jun 2000 10:17:11 -0300 (GMT)
Cc: fpscha@via-net-works.net.ar, freebsd-security@FreeBSD.ORG
Reply-To: Fernando Schapachnik <fpscha@via-net-works.net.ar>
X-Mailer: ELM [version 2.4ME+ PL40 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

En un mensaje anterior, Paul Hart escribió:
> On Wed, 28 Jun 2000, Fernando Schapachnik wrote:
> 
> > > pass out quick on fxp0 proto tcp from any to any keep state
> > > pass out quick on fxp0 proto udp from any to any keep state
> > > pass out quick on fxp0 proto icmp from any to any keep state
> > 
> > You will also need (al least in 3.4-RELEASE):
> > 
> > pass in quick on fxp0 proto icmp from any to any icmp-type 11
> > 
> > to let traceroute work.
> 
> No, not in my experience.  Try it without your explicit rule to allow ICMP
> type 11 packets back in as it does work for me without your rule.
> 
> I had the same concern about how the ICMP time exceeded packets would make
> their way back in.  Darren Reed kindly commented on how the state tracking
> code in IP Filter handles this case.  See:
> 
>     http://false.net/ipfilter/2000_06/0234.html
>     http://false.net/ipfilter/2000_06/0235.html

Thanks you for claryfing this for me. Seems that I added the rule 
before upgrading to IP Filter 3.4.6.

Regards!


Fernando P. Schapachnik
Administración de la red
VIA NET.WORKS ARGENTINA S.A.
fernando@via-net-works.net.ar
(54-11) 4323-3333


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message