From owner-freebsd-questions@FreeBSD.ORG Wed Oct 31 06:23:15 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7022316A417; Wed, 31 Oct 2007 06:23:15 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by mx1.freebsd.org (Postfix) with ESMTP id 9568013C4B2; Wed, 31 Oct 2007 06:23:14 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.1/8.14.1) id l9V5SjQi055626; Wed, 31 Oct 2007 00:28:45 -0500 (CDT) (envelope-from dan) Date: Wed, 31 Oct 2007 00:28:45 -0500 From: Dan Nelson To: Ivan Voras Message-ID: <20071031052845.GC3109@dan.emsphone.com> References: <47255D54.40700@dreamchaser.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-OS: FreeBSD 7.0-BETA1 User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-questions@freebsd.org Subject: Re: ipfw -- why need to let icmp out that I already let in? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Oct 2007 06:23:15 -0000 In the last episode (Oct 31), Ivan Voras said: > freebsd@dreamchaser.org wrote: > > > add 10510 allow icmp from any to any out via oif() keep-state > > I don't think ICMP is stateful :) > > You need both in and out rules for ICMP because the logical responses > to packets can't be reliably connected into a single communication. I use "allow icmp from any to any icmptypes 0,3,11,12 in" those types being "echo reply", "destination unreachable", "time-to-live exceeded", and "IP header bad". -- Dan Nelson dnelson@allantgroup.com