From owner-freebsd-security  Wed Jun  7  8:52: 7 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10])
	by hub.freebsd.org (Postfix) with ESMTP id C84D537B5B3
	for <freebsd-security@freebsd.org>; Wed,  7 Jun 2000 08:52:01 -0700 (PDT)
	(envelope-from fpscha@ns1.via-net-works.net.ar)
Received: (from fpscha@localhost)
	by ns1.via-net-works.net.ar (8.9.3/8.9.3) id MAA18656;
	Wed, 7 Jun 2000 12:51:07 -0300 (GMT)
From: Fernando Schapachnik <fpscha@ns1.via-net-works.net.ar>
Message-Id: <200006071551.MAA18656@ns1.via-net-works.net.ar>
Subject: Re: IPFilter question
In-Reply-To: <E12zhis-0001Hq-00@xi.css.qmw.ac.uk> from David Pick at "Jun 7, 0 04:26:26 pm"
To: D.M.Pick@qmw.ac.uk (David Pick)
Date: Wed, 7 Jun 2000 12:51:03 -0300 (GMT)
Cc: fpscha@via-net-works.net.ar, freebsd-security@freebsd.org
Reply-To: Fernando Schapachnik <fpscha@via-net-works.net.ar>
X-Mailer: ELM [version 2.4ME+ PL40 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

En un mensaje anterior, David Pick escribió:
> 
> > 	Using keep state with icmp doesn't allow traceroutes. The 
> > solution I found was to let icmp types 0 and 11 in. Is this supposed 
> > to work this way or I misconfigured something? Shouldn't `keep state' be 
> > enough to let traceroute work?
> 
> The problem is that traceroute works by sending out IP packets with
> gradually increasing TTL values and gathering the ICMP error reports
> that are generated as each packet gets so far and the TTL counts down
> to zero. So the ICMP responses come back from the intermediate router
> that dropped the output packet. So the source address of the ICMP
> packet is unpredictable, and the "keep-state" rule only puts in the
> *destination* IP address as the source address for the returning packets.

That must be it! So in theory you don't need to allow icmp-type 0 
(echo reply) because that is what the keep state icmp is for, right?

Thank you!


Fernando P. Schapachnik
Administración de la red
VIA NET.WORKS ARGENTINA S.A.
fernando@via-net-works.net.ar
(54-11) 4323-3333


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message