Date: Tue, 9 Jun 1998 08:37:18 -0700 (PDT) From: Julian Elischer <julian@whistle.com> To: Darren Reed <avalon@coombs.anu.edu.au> Cc: Tom Torrance <freebsd@tomqnx.com>, hackers@FreeBSD.ORG Subject: Re: IPFW problem? Message-ID: <Pine.BSF.3.95.980609083607.26256B-100000@current1.whistle.com> In-Reply-To: <199806091249.FAA10960@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
IPFW relies on a separate module (libnat) to keep track of stateful sessions. you could add code to libnat to do what you want julian On Tue, 9 Jun 1998, Darren Reed wrote: > In some mail from Tom Torrance, sie said: > > > > The sample file to the contrary, it appears that ipfw will not > > allow the "established" keyword for the "allow icmp" case. > > > > Is this a misunderstanding on my part or a genuine fault"? > > > > Is there another way to allow ICMP only as part of the TCP protocol? > > No. > > Not even IP Filter does this (yet). It does for NAT (that is ICMP > headers packets are checked for relevance to an active NAT mapping) > and is on my TODO list for "keep state" 'connections' too. You've > got several problems here, if you want to do it for ipfw, the first > being it has no concept of what "sessions" are currently in progress > across/through the firewall (whereas IP Filter can). > > Darren > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980609083607.26256B-100000>