Date: Tue, 10 Mar 1998 12:57:43 -0500 (EST) From: Mike D Tancsa <mdtancsa@sentex.net> To: nash@Mcs.Net Cc: mike@sentex.net, stable@FreeBSD.ORG Subject: Re: ipfw unreach statement help Message-ID: <199803101757.MAA29599@granite.sentex.net> In-Reply-To: <Pine.BSF.3.95.980310093004.406A-100000@Jupiter.Mcs.Net> from Alex Nash at "Mar 10, 98 10:12:21 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> On Mon, 9 Mar 1998, Mike Tancsa wrote: > > > On a FreeBSD 2.2-980304-SNAP machine, I added the following > > > > ipfw add 02007 unreach 13 log icmp from any to any in recv ed0 icmptype 8 > > > > which shows up as > > 02007 7 588 unreach filter-prohib log icmp from any to any > > in recv ed0 icmptype 8 > > > > > > But when I ping the host from the outside, I dont get an ICMP message back > > that its blocked by a filter as I do when ping a different non-FreeBSD > > hosts (e.g.) > > ipfw will not send an ICMP packet in response to an ICMP packet. Doing so > might result in some nasty endless loops. One could argue that it would > make sense to reply with ICMP_UNREACH when the incoming packet was not > ICMP_UNREACH, but more thought would be required to ensure there weren't > any endless loop scenarios possible from this (I can't think of any > off-hand). Hi, Just curious, but could you give me an example of such ? Where an ICMP packet of type 8 coming in would result in an endless loop ? I was just looking for a better way to let people on the outside that we prohibit pings comming it.. I get sick answering all the mail asking if our network is down just because we dont allow pings coming in indescriminately... ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199803101757.MAA29599>