From owner-freebsd-questions@FreeBSD.ORG  Sun Jun 13 12:45:05 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0FE8E16A4CE
	for <freebsd-questions@freebsd.org>;
	Sun, 13 Jun 2004 12:45:05 +0000 (GMT)
Received: from outfbmx002.isp.belgacom.be (outfbmx002.isp.belgacom.be
	[195.238.3.102])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6C0AA43D48
	for <freebsd-questions@freebsd.org>;
	Sun, 13 Jun 2004 12:45:04 +0000 (GMT)
	(envelope-from geert@lori.mine.nu)
Received: from outmx013.isp.belgacom.be (outmx013.isp.belgacom.be
	[195.238.3.64])
	(8.12.11/8.12.11/Skynet-OUT-FALLBACK-2.22) with ESMTP id
	i5DBNA9M007093        for <freebsd-questions@freebsd.org>;
	Sun, 13 Jun 2004 13:23:10 +0200
	(envelope-from <geert@lori.mine.nu>)
Received: from outmx013.isp.belgacom.be (localhost [127.0.0.1])
	with ESMTP id i5DBMpq5010532
	for <freebsd-questions@freebsd.org>; Sun, 13 Jun 2004 13:22:51 +0200
	(envelope-from <geert@lori.mine.nu>)
Received: from lori.mine.nu (166-19.244.81.adsl.skynet.be [81.244.19.166])
	with ESMTP id i5DBMlvS010496
	for <freebsd-questions@freebsd.org>; Sun, 13 Jun 2004 13:22:48 +0200
	(envelope-from <geert@lori.mine.nu>)
Received: by lori.mine.nu (Postfix, from userid 1000)
	id 6C3DE42A; Sun, 13 Jun 2004 13:22:47 +0200 (CEST)
Date: Sun, 13 Jun 2004 13:22:47 +0200
From: Geert Hendrickx <geert.hendrickx@ua.ac.be>
To: freebsd-questions@freebsd.org
Message-ID: <20040613112246.GA1647@lori.mine.nu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2i
X-GPG-Key: http://www.win.ua.ac.be/~s005085/gnupgkey.txt
X-GPG-Key-ID: 1024D/766C1E92
X-Accept-Language: nl,en
Subject: ipfw: question about keep-state on icmp
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Jun 2004 12:45:05 -0000

Hi, 

this is a fragment of my ipfw-config which should allow me to ping 
others, but not allow others to ping me: 

00092 allow icmp from me to any keep-state
65535 deny ip from any to any

Indeed, other hosts can't ping me... UNLESS I am pinging them at the 
same time!  This is of course a result of keeping the state of icmp-
traffic between these two hosts, and I can avoid this by changing it to:

00091 deny icmp from any to me icmptype 8    <-- deny ping request to me
00092 allow icmp from me to any keep-state

(icmptype 8 = ping request) 

But then I don't see the use for keep-state in 00092 anymore...  The
following seems equally valid to me: 

00091 allow icmp from me to any
00092 allow icmp from any to me icmptype 0   <-- allow ping reply to me

So what am I missing?  

And are errors as in the first example also possible with
tcp-connections, e.g. ssh?  

GH