Date: Wed, 7 Jun 2000 12:51:03 -0300 (GMT) From: Fernando Schapachnik <fpscha@ns1.via-net-works.net.ar> To: D.M.Pick@qmw.ac.uk (David Pick) Cc: fpscha@via-net-works.net.ar, freebsd-security@freebsd.org Subject: Re: IPFilter question Message-ID: <200006071551.MAA18656@ns1.via-net-works.net.ar> In-Reply-To: <E12zhis-0001Hq-00@xi.css.qmw.ac.uk> from David Pick at "Jun 7, 0 04:26:26 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
En un mensaje anterior, David Pick escribió: > > > Using keep state with icmp doesn't allow traceroutes. The > > solution I found was to let icmp types 0 and 11 in. Is this supposed > > to work this way or I misconfigured something? Shouldn't `keep state' be > > enough to let traceroute work? > > The problem is that traceroute works by sending out IP packets with > gradually increasing TTL values and gathering the ICMP error reports > that are generated as each packet gets so far and the TTL counts down > to zero. So the ICMP responses come back from the intermediate router > that dropped the output packet. So the source address of the ICMP > packet is unpredictable, and the "keep-state" rule only puts in the > *destination* IP address as the source address for the returning packets. That must be it! So in theory you don't need to allow icmp-type 0 (echo reply) because that is what the keep state icmp is for, right? Thank you! Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006071551.MAA18656>