From owner-freebsd-stable Tue Oct 16 12:27:19 2001 Delivered-To: freebsd-stable@freebsd.org Received: from gvr.gvr.org (gvr.gvr.org [212.61.40.17]) by hub.freebsd.org (Postfix) with ESMTP id 7CCBB37B413 for ; Tue, 16 Oct 2001 12:27:15 -0700 (PDT) Received: by gvr.gvr.org (Postfix, from userid 657) id 0C7A95807; Tue, 16 Oct 2001 21:27:14 +0200 (CEST) Date: Tue, 16 Oct 2001 21:27:14 +0200 From: Guido van Rooij To: freebsd-stable@FreeBSD.ORG Subject: Re: IPFW or IPFILTER? Message-ID: <20011016212713.A6881@gvr.gvr.org> References: <20011014180756.A17546@adv.devet.org> <200110141616.f9EGG5x37636@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200110141616.f9EGG5x37636@lurza.secnetix.de>; from olli@secnetix.de on Sun, Oct 14, 2001 at 06:16:05PM +0200 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Oct 14, 2001 at 06:16:05PM +0200, Oliver Fromme wrote: > > IIRC ipfilter does not allow '_any_ ICMP' in such a case: if you send an > > 'ICMP echo' with keep-state then only 'ICMP echo reply' packets will be > > allowed to pass through. > > That's bad, because you usually want to see other types of > ICMP replies, too, such as TTL exceeded, host unreachable, > communication prohibited etc. > Of course that is allowed in the UDP and TCP cases. However, in the case of ICMP request packets, you will never get back an ICMP error, because the protocol forbids sending ICMP errors for ICMP packets. To quote the rfc: To avoid the infinite regress of messages about messages etc., no ICMP messages are sent about ICMP messages. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message