Date: Tue, 9 Jun 1998 21:12:31 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: freebsd@tomqnx.com (Tom Torrance) Cc: hackers@FreeBSD.ORG Subject: Re: IPFW problem? Message-ID: <199806091249.FAA10960@hub.freebsd.org> In-Reply-To: <m0yjJW2-00087JC@TomQNX.tomqnx.com> from "Tom Torrance" at Jun 9, 98 04:12:22 am
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Tom Torrance, sie said: > > The sample file to the contrary, it appears that ipfw will not > allow the "established" keyword for the "allow icmp" case. > > Is this a misunderstanding on my part or a genuine fault"? > > Is there another way to allow ICMP only as part of the TCP protocol? No. Not even IP Filter does this (yet). It does for NAT (that is ICMP headers packets are checked for relevance to an active NAT mapping) and is on my TODO list for "keep state" 'connections' too. You've got several problems here, if you want to do it for ipfw, the first being it has no concept of what "sessions" are currently in progress across/through the firewall (whereas IP Filter can). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806091249.FAA10960>