I think if you read closely you will find out the keep-state option does not work on the icmp protocol because icmp is stateless protocol. This does not mean that ipfw will give coding error if you code it.
You have to have an icmp stateless rule to allow it out and another to allow it in. allow icmp from me to any out via xl0 allow icmp from any to me icmptype 0 in via xl0 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Geert Hendrickx Sent: Sunday, June 13, 2004 7:23 AM To: [EMAIL PROTECTED] Subject: ipfw: question about keep-state on icmp Hi, this is a fragment of my ipfw-config which should allow me to ping others, but not allow others to ping me: 00092 allow icmp from me to any keep-state 65535 deny ip from any to any Indeed, other hosts can't ping me... UNLESS I am pinging them at the same time! This is of course a result of keeping the state of icmp- traffic between these two hosts, and I can avoid this by changing it to: 00091 deny icmp from any to me icmptype 8 <-- deny ping request to me 00092 allow icmp from me to any keep-state (icmptype 8 = ping request) But then I don't see the use for keep-state in 00092 anymore... The following seems equally valid to me: 00091 allow icmp from me to any 00092 allow icmp from any to me icmptype 0 <-- allow ping reply to me So what am I missing? And are errors as in the first example also possible with tcp-connections, e.g. ssh? GH _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"