Hi, >> with scrub in all set at the firewall, will openbsd handle icmp packets >> of type unreach code needfrag automatically, because of the statefulness? >> as far as i know, icmp packtes like port/host/network unreachable are >> allowed by the keep state statements, does this also apply for the need >> fragment codes of icmp unreachable messages? >> >> or shall I have to add a rule to allow these packets explicitly? > > citating pf.conf(5): > > ... > > STATEFUL INSPECTION > > ... > > ICMP messages fall into two categories: ICMP error messages, which always > refer to a TCP or UDP packet, are matched against the referred to connec- > tion. If one keeps state on a TCP connection, and an ICMP source quench > message referring to this TCP connection arrives, it will be matched to > the right state and get passed. > > ...
Thanks, I must have overlooked it, i thought only these unreachable messages will be part of a state. but on the other side I found this: http://kerneltrap.org/node/579 regarding Linux NFS and openbsd pf and scrub. After reading that, I assume that I will not need to add an explicit rule for the needfrag ICMP packets, only if I will run into some trouble, I might exclude a bit traffic from scrubbing. thanks lars -- Echte DSL-Flatrate dauerhaft f|r 0,- Euro*! "Feel free" mit GMX DSL! http://www.gmx.net/de/go/dsl
