From owner-freebsd-questions@FreeBSD.ORG Sun Jun 13 15:48:33 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0894F16A4CE for ; Sun, 13 Jun 2004 15:48:33 +0000 (GMT) Received: from mta1.adelphia.net (mta1.adelphia.net [68.168.78.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C0D743D5C for ; Sun, 13 Jun 2004 15:48:32 +0000 (GMT) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.71]) by mta13.adelphia.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040613154559.QECH13425.mta13.adelphia.net@barbish>; Sun, 13 Jun 2004 11:45:59 -0400 From: "JJB" To: "Geert Hendrickx" , Date: Sun, 13 Jun 2004 11:45:58 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 In-Reply-To: <20040613112246.GA1647@lori.mine.nu> Importance: Normal Subject: RE: ipfw: question about keep-state on icmp X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jun 2004 15:48:33 -0000 I think if you read closely you will find out the keep-state option does not work on the icmp protocol because icmp is stateless protocol. This does not mean that ipfw will give coding error if you code it. You have to have an icmp stateless rule to allow it out and another to allow it in. allow icmp from me to any out via xl0 allow icmp from any to me icmptype 0 in via xl0 -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Geert Hendrickx Sent: Sunday, June 13, 2004 7:23 AM To: freebsd-questions@freebsd.org Subject: ipfw: question about keep-state on icmp Hi, this is a fragment of my ipfw-config which should allow me to ping others, but not allow others to ping me: 00092 allow icmp from me to any keep-state 65535 deny ip from any to any Indeed, other hosts can't ping me... UNLESS I am pinging them at the same time! This is of course a result of keeping the state of icmp- traffic between these two hosts, and I can avoid this by changing it to: 00091 deny icmp from any to me icmptype 8 <-- deny ping request to me 00092 allow icmp from me to any keep-state (icmptype 8 = ping request) But then I don't see the use for keep-state in 00092 anymore... The following seems equally valid to me: 00091 allow icmp from me to any 00092 allow icmp from any to me icmptype 0 <-- allow ping reply to me So what am I missing? And are errors as in the first example also possible with tcp-connections, e.g. ssh? GH _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"