Date: Tue, 16 Oct 2001 23:55:47 +0200 From: Guido van Rooij <guido@gvr.org> To: "Crist J. Clark" <cristjc@earthlink.net> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: IPFW or IPFILTER? Message-ID: <20011016235547.A8081@gvr.gvr.org> In-Reply-To: <20011016142613.D4437@blossom.cjclark.org>; from cristjc@earthlink.net on Tue, Oct 16, 2001 at 02:26:13PM -0700 References: <20011014180756.A17546@adv.devet.org> <200110141616.f9EGG5x37636@lurza.secnetix.de> <20011016212713.A6881@gvr.gvr.org> <20011016142613.D4437@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 16, 2001 at 02:26:13PM -0700, Crist J. Clark wrote: > > Of course that is allowed in the UDP and TCP cases. However, in the case of > > ICMP request packets, you will never get back an ICMP error, because > > the protocol forbids sending ICMP errors for ICMP packets. > > To quote the rfc: > > To avoid the infinite regress of messages about messages > > etc., no ICMP messages are sent about ICMP messages. > > That is not true. An ICMP error is never sent in response to an ICMP > _error_ message. You will get various ICMP error messages in response > to something like a ping. ICMP-based traceroutes count on this > fact. RFC1122 explictly states, You are right. The quote from the RFC is correct however.. Anyway, I just checked the IPfilter state code and in fact it does work correctly (i.e. RFC1122 complient) for ICMP queries as well. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011016235547.A8081>