From owner-freebsd-stable  Sun Oct 14  9:16:10 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from lurza.secnetix.de (lurza.secnetix.de [212.66.1.130])
	by hub.freebsd.org (Postfix) with ESMTP id 2194537B407
	for <freebsd-stable@FreeBSD.ORG>; Sun, 14 Oct 2001 09:16:06 -0700 (PDT)
Received: (from olli@localhost)
	by lurza.secnetix.de (8.11.6/8.11.6) id f9EGG5x37636;
	Sun, 14 Oct 2001 18:16:05 +0200 (CEST)
	(envelope-from oliver.fromme@secnetix.de)
Date: Sun, 14 Oct 2001 18:16:05 +0200 (CEST)
Message-Id: <200110141616.f9EGG5x37636@lurza.secnetix.de>
From: Oliver Fromme <olli@secnetix.de>
To: freebsd-stable@FreeBSD.ORG
Reply-To: freebsd-stable@FreeBSD.ORG
Subject: Re: IPFW or IPFILTER?
In-Reply-To: <20011014180756.A17546@adv.devet.org>
X-Newsgroups: list.freebsd-stable
User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.4-RELEASE (i386))
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Arjan de Vet <devet@devet.org> wrote:
 > In article <20011012184741.D6274@blossom.cjclark.org> you write:
 > [...]
 > >Will let you ping the rest of the word and even let Windows-style
 > >traceroutes work, but that's because it works like this:
 > >
 > >  <src_ip>:<src_icmp_type.src_icmp_code> -> <dst_ip>
 > >
 > >Creates a dynamic rule,
 > >
 > >  pass icmp from <dst_ip> to <src_ip>
 > >
 > >That is, _any_ ICMP from <dst_ip> to <src_ip> is passed for the
 > >dynamic's rule lifetime.
 > 
 > IIRC ipfilter does not allow '_any_ ICMP' in such a case: if you send an
 > 'ICMP echo' with keep-state then only 'ICMP echo reply' packets will be
 > allowed to pass through.

That's bad, because you usually want to see other types of
ICMP replies, too, such as TTL exceeded, host unreachable,
communication prohibited etc.

Regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"All that we see or seem is just a dream within a dream" (E. A. Poe)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message