Date: Wed, 31 Oct 2007 00:28:45 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Ivan Voras <ivoras@freebsd.org> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw -- why need to let icmp out that I already let in? Message-ID: <20071031052845.GC3109@dan.emsphone.com> In-Reply-To: <fg8d4b$vak$2@ger.gmane.org> References: <47255D54.40700@dreamchaser.org> <fg8d4b$vak$2@ger.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Oct 31), Ivan Voras said: > freebsd@dreamchaser.org wrote: > > > add 10510 allow icmp from any to any out via oif() keep-state > > I don't think ICMP is stateful :) > > You need both in and out rules for ICMP because the logical responses > to packets can't be reliably connected into a single communication. I use "allow icmp from any to any icmptypes 0,3,11,12 in" those types being "echo reply", "destination unreachable", "time-to-live exceeded", and "IP header bad". -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071031052845.GC3109>