From owner-freebsd-stable Tue Mar 10 13:35:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA04756 for freebsd-stable-outgoing; Tue, 10 Mar 1998 13:35:35 -0800 (PST) (envelope-from owner-freebsd-stable@FreeBSD.ORG) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA04727 for ; Tue, 10 Mar 1998 13:35:17 -0800 (PST) (envelope-from nash@Jupiter.Mcs.Net) Received: from Jupiter.Mcs.Net (nash@Jupiter.mcs.net [192.160.127.88]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id PAA27149; Tue, 10 Mar 1998 15:35:13 -0600 (CST) Received: from localhost (nash@localhost) by Jupiter.Mcs.Net (8.8.7/8.8.2) with SMTP id PAA13192; Tue, 10 Mar 1998 15:35:11 -0600 (CST) Date: Tue, 10 Mar 1998 15:35:10 -0600 (CST) From: Alex Nash To: Jt cc: Mike D Tancsa , mike@sentex.net, stable@FreeBSD.ORG Subject: Re: ipfw unreach statement help In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk On Tue, 10 Mar 1998, Jt wrote: > > I noticed ipfw man pages : > Discard packets that match this rule, and try to > send an ICMP unreachable notice with code code, > > what is preventing this from happening? In /sys/netinet/ip_fw.c, starting at line 590 (for rev 1.51.2.12), there is a test for a set of conditions which must be true to allow an ICMP response to be sent: /* * At this point, we're going to drop the packet. * Send a reject notice if all of the following are true: * * - The packet matched a reject rule * - The packet is not an ICMP packet * - The packet is not a multicast or broadcast packet */ if ((rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_REJECT && ip->ip_p != IPPROTO_ICMP && !((*m)->m_flags & (M_BCAST|M_MCAST)) && !IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { The man page should be updated to mention these conditions. Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message