From owner-freebsd-hackers  Thu Aug  2 10:27:36 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from ringworld.nanolink.com (unknown [217.75.135.248])
	by hub.freebsd.org (Postfix) with SMTP id EDEAB37B401
	for <freebsd-hackers@freebsd.org>; Thu,  2 Aug 2001 10:27:30 -0700 (PDT)
	(envelope-from roam@ringworld.nanolink.com)
Received: (qmail 30454 invoked by uid 1000); 2 Aug 2001 17:26:19 -0000
Date: Thu, 2 Aug 2001 20:26:19 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Dennis Berger <HypnotiZer@gmx.net>
Cc: freebsd-hackers@freebsd.org
Subject: Re: keep-state rule for icmp, really stateful ???
Message-ID: <20010802202618.A11105@ringworld.oblivion.bg>
Mail-Followup-To: Dennis Berger <HypnotiZer@gmx.net>,
	freebsd-hackers@freebsd.org
References: <000801c11b66$f57452e0$650110ac@nachpolierer>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <000801c11b66$f57452e0$650110ac@nachpolierer>; from HypnotiZer@gmx.net on Thu, Aug 02, 2001 at 05:22:36PM +0200
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

On Thu, Aug 02, 2001 at 05:22:36PM +0200, Dennis Berger wrote:
> Hi
> I have the following rule allowing traceroute and ping to my server.
> "200 allow icmp from any to any keep-state in recv tun0 icmptype 8"
> Now I would assume that this rule generate two dynamic rules back.
> The fire one is a rule that initiates ping to work properly it's just a dynamic ICMP rule
> 00200 2623 220332 (T 30, # 43) ty 0 icmp, 134.100.58.115 0 <-> 213.23.32.88 0
> and the second that the traceroute UDP taffic from port 33434-33960 can pass in.
> But what happans ... the rule 200 doesn't open a second dynamic rule to allow udp traffic to specific ports back in, the traceroute UDP traffic will be blocked. To keep the icmp packetfiltering stateful it would be nice to implement this clean. Or maybe it is already implemented in CURRENT tree. What's the current state ?

Errrr.. maybe it's just me, but I just can't see how a rule that says
'allow icmp' should allow UDP traffic to pass through..
Maybe you haven't shown us all the rules?  (And I don't necessarily
mean 'all the rules pertaining to icmp and traceroute'.. it might
as well be that some other rule, which you do not consider relevant,
is blocking your traceroute packets.)

G'luck,
Peter

-- 
I am jealous of the first word in this sentence.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message