From owner-freebsd-questions  Sat Jul 21 19:52:45 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.ottawa.com (mail.ottawa.com [209.217.94.166])
	by hub.freebsd.org (Postfix) with ESMTP id 7313337B401
	for <freebsd-questions@FreeBSD.ORG>; Sat, 21 Jul 2001 19:52:42 -0700 (PDT)
	(envelope-from 18923@mail.ottawa.com)
Received: (from ottawa@localhost)
	by mail.ottawa.com (8.9.2-aidan/8.9.2) id XAA18060;
	Sat, 21 Jul 2001 23:02:20 -0400 (EDT)
Date: Sat, 21 Jul 2001 23:02:20 -0400 (EDT)
Message-Id: <200107220302.XAA18060@mail.ottawa.com>
To: Fernando Gleiser <fgleiser@cactus.fi.uba.ar>
From: Mark Livingstone <mlivingstone@ottawa.com>
Subject: Re: how could this PACKET get through?!
Cc: <freebsd-questions@FreeBSD.ORG>
X-Account: 18923
X-Sender-IP: 24.43.203.140
Mime-Version: 1.0
Content-Type: text/plain
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Fernando, thanks for your help.

I do have one question for you: i need to block all incoming icmp, however, 
allow outgoing icmp + traceroute. Which rules should i preserve and which 
should i remove? the setup that i have does exactly what i need.. but i bet 
there is a better way you know of.

thanks

On Jul 17, Fernando Gleiser <fgleiser@cactus.fi.uba.ar> wrote:
> 
> 
> On Tue, 17 Jul 2001, Mark Livingstone wrote:
> [snip]
> 
> >
> > pass in log quick on ed0 proto icmp from any to any icmp-type 0
> > pass in log quick on ed0 proto icmp from any to any icmp-type unreach 
code 3
> > pass in log quick on ed0 proto icmp from any to any icmp-type unreach 
code 4
> > pass in log quick on ed0 proto icmp from any to any icmp-type timex
> ^^^^^^^^
> Here is: you allow incomming icmp time exeeded, and log it. The packet you
> received was a time exeeded in transit (11/0).
> 
> Those seem the rules to make traceroute work. If you keep state on
> outgoing udp packets you won't need them, the state code can tell
> icmp packets which are responses to outgoing packets from icmp packets
> which aren't (because an icmp error has the first bytes of the packet which
> caused it).
> 
> 
> 
> 			Fer
> 
> 
> 



Get your Free email at http://mail.ottawa.com/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message