Date: Tue, 10 Mar 1998 14:07:33 -0500 From: Max Euston <meuston@jmrodgers.com> To: "'Alex Nash'" <nash@Mcs.Net>, Mike Tancsa <mike@sentex.net> Cc: "stable@FreeBSD.ORG" <stable@FreeBSD.ORG> Subject: RE: ipfw unreach statement help Message-ID: <01BD4C2D.DFF29BE0.meuston@jmrodgers.com>
next in thread | raw e-mail | index | archive | help
On Tuesday, March 10, 1998 11:12 AM, Alex Nash [SMTP:nash@Mcs.Net] wrote: > On Mon, 9 Mar 1998, Mike Tancsa wrote: [snip] > > But when I ping the host from the outside, I dont get an ICMP message back > > that its blocked by a filter as I do when ping a different non-FreeBSD > > hosts (e.g.) > > ipfw will not send an ICMP packet in response to an ICMP packet. Doing so > might result in some nasty endless loops. One could argue that it would > make sense to reply with ICMP_UNREACH when the incoming packet was not > ICMP_UNREACH, but more thought would be required to ensure there weren't > any endless loop scenarios possible from this (I can't think of any > off-hand). > > Alex > How about only reply when the source packet is an ICMP:8 (echo or "ping")? Isn't this the only packet type that by design expects a response (ICMP:0 echo-reply) (I am not reading from the RFP - so I may be wrong). We would just be responding with a different packet as some other systems already do. I tried to do this a while ago and just never followed up on it. I will have a look at the source and see about a patch *IF* this sounds like a reasonable solution. Any comments? Max ----- Max Euston <meuston@jmrodgers.com> Sysadm, Programmer, etc... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01BD4C2D.DFF29BE0.meuston>