From owner-freebsd-questions@FreeBSD.ORG Mon Oct 29 19:34:50 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45A2F16A41B for ; Mon, 29 Oct 2007 19:34:50 +0000 (UTC) (envelope-from freebsd@dreamchaser.org) Received: from nightmare.dreamchaser.org (12-32-44-142.static.blackfoot.net [12.32.44.142]) by mx1.freebsd.org (Postfix) with ESMTP id D278D13C4BD for ; Mon, 29 Oct 2007 19:34:48 +0000 (UTC) (envelope-from freebsd@dreamchaser.org) Received: from [12.32.36.74] (freshstart.dreamchaser.org. [12.32.36.74]) by nightmare.dreamchaser.org (8.13.6/8.13.6) with ESMTP id l9T4AxOl001729 for ; Sun, 28 Oct 2007 22:11:02 -0600 (MDT) (envelope-from freebsd@dreamchaser.org) Message-ID: <47255D54.40700@dreamchaser.org> Date: Sun, 28 Oct 2007 21:11:00 -0700 From: freebsd@dreamchaser.org User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (nightmare.dreamchaser.org [12.32.36.65]); Sun, 28 Oct 2007 22:11:02 -0600 (MDT) Subject: ipfw -- why need to let icmp out that I already let in? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Oct 2007 19:34:50 -0000 I'm now running 6.1 using PPPoE through a bridging DSL modem. Using ipfw I have the following rules regarding for ping / traceroute: oip, oif are the outside tun0 ip addr and interface inet, imask, and iif are the internal netip/mask/interface from ipfw.conf: # Allow pings out # Note that for internal machines, this is an INCOMING request on the INTERNAL interface. add 10510 allow icmp from any to any out via oif() keep-state add 10511 allow icmp from inet():imask() to any in via iif() keep-state # Allow traceroute # Note that for internal machines, this is an INCOMING request on the INTERNAL interface. # Note the need to relay letting the icmp replies back out the internal interface in 10532! add 10520 allow udp from oip() to any out via oif() keep-state add 10521 allow icmp from any to oip() in via oif() icmptypes 3,11 add 10530 allow udp from inet():imask() to any in via iif() keep-state add 10531 allow icmp from any to inet():imask() in via oif() icmptypes 3,11 add 10532 allow icmp from any to inet():imask() out via iif() icmptypes 3,11 My question is regarding entry 10532. Without it, packets for traceroute come in on iif and are routed out on oif, but the returning icmp time exceeded in-transit packets are not forwarded to the internal network; they come in on oif (line 10531) but never go out on iif. Why is 10532 necessary? Other requests from the internal network, such as http requests, get forwarded out the other interface just fine, and returning packets are routed back to the internal interface, with a single entry of the form: add 10220 allow tcp from inet():imask() to any http in via iif() setup keep-state When dynamic rules are built, are they built for all interfaces to allow a packet to go anywhere appropriate, and similarly for return packets? Is the above only a problem because of the stateless nature of icmp? I assumed that if I allowed a packet in, it would be allowed out to its destination automatically. Gary