From owner-freebsd-ipfw Tue Feb 11 11:51:19 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0EF937B401 for ; Tue, 11 Feb 2003 11:51:17 -0800 (PST) Received: from rumba.wu-wien.ac.at (rumba.wu-wien.ac.at [137.208.3.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C32F43FBF for ; Tue, 11 Feb 2003 11:51:14 -0800 (PST) (envelope-from georg-ipfw@graf.priv.at) Received: from schurli.wu-wien.ac.at (schurli.wu-wien.ac.at [137.208.16.32]) by rumba.wu-wien.ac.at (8.12.6/8.12.6) with SMTP id h1BJpCck007159 for ; Tue, 11 Feb 2003 20:51:12 +0100 (CET) (envelope-from georg-ipfw@graf.priv.at) Received: (qmail 71457 invoked by uid 1001); 11 Feb 2003 19:51:12 -0000 Date: Tue, 11 Feb 2003 20:51:12 +0100 From: Georg Graf To: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 bug? Message-ID: <20030211195112.GA36140@graf.priv.at> Mail-Followup-To: Georg Graf , freebsd-ipfw@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-WU-uvscan-status: clean v4.1.60/v4246 rumba 5487fd9290ca7e2fe236285840849ea3 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Feb 10, 2003 at 09:47:33PM +0300, Andy Jema wrote: > I try to use the folowing ruleset: > > ipfw add check-state > > ipfw add allow tcp from me to any keep-state out via fxp0 > setup > ipfw add allow udp from me to any keep-state out via fxp0 > ipfw add allow icmp from me to any keep-state out via fxp0 > > ipfw add 65435 deny log ip from any to any > > but in attempt of tracerouting of any external host i'm > getting the denying message in log > Feb 11 21:25:04 nss1 /ns1: ipfw: 65435 Deny ICMP:11.0 > in via fxp0 Your setup installs udp dynamic allow rules, but you keep blocking the icmp ttl exceeded messages from the routers resp. the icmp port closed messages from the host you traceroute. > At the same time when i use the common rule like > > ipfw check-state > ipfw add allow ip from me to any keep-state out via fxp0 > > all works fine I dont believe that resp. cannot reproduce it on a 4.7-RELEASE-p4 box. I guess you have an icmp allow rule somewhere left. George -- Georg Graf http://georg.graf.priv.at/ PGP Key ID: 0xA5232AD5 Gobergasse 43/2 A-1130 Wien Tel: +43 1 8796723 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message