Re: ipfw -- why need to let icmp out that I already let in?
Are you sure you don't have some other rule which is letting those returned packets out the other port? When I substitute your rule for my two: ipfw delete 10531 ipfw delete 10532 ipfw add 10531 allow icmp from any to any icmptypes 0,3,11,12 in The returning packets are dropped inside the firewall. (traceroute still works from the firewall itself, but not from an internal machine). Gary Dan Nelson wrote: In the last episode (Oct 31), Ivan Voras said: [EMAIL PROTECTED] wrote: add 10510 allow icmp from any to any out via oif() keep-state I don't think ICMP is stateful :) You need both in and out rules for ICMP because the logical responses to packets can't be reliably connected into a single communication. I use "allow icmp from any to any icmptypes 0,3,11,12 in" those types being "echo reply", "destination unreachable", "time-to-live exceeded", and "IP header bad". ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw -- why need to let icmp out that I already let in?
> > add 10510 allow icmp from any to any out via oif() keep-state > > I don't think ICMP is stateful :) > > You need both in and out rules for ICMP because the logical responses to > packets can't be reliably connected into a single communication. Actually, I disagree. True, ICMP is not a stateful protocol; however, keep-state directive works for ICMP as well: ipfw add 99 allow icmp from me to 192.168.1.1 keep-state on "ping 192.168.1.1" creates the following dynamic rule: 00099 7 588 (5s) STATE icmp 192.168.1.2 0 <-> 192.168.1.1 0 On a side note, the validity interval of this rule is controlled by net.inet.ip.fw.dyn_short_lifetime sysctl variable and is in the above case set to 5 seconds (default is 30). Regards, -- Nino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw -- why need to let icmp out that I already let in?
In the last episode (Oct 31), Ivan Voras said: > [EMAIL PROTECTED] wrote: > > > add 10510 allow icmp from any to any out via oif() keep-state > > I don't think ICMP is stateful :) > > You need both in and out rules for ICMP because the logical responses > to packets can't be reliably connected into a single communication. I use "allow icmp from any to any icmptypes 0,3,11,12 in" those types being "echo reply", "destination unreachable", "time-to-live exceeded", and "IP header bad". -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw -- why need to let icmp out that I already let in?
[EMAIL PROTECTED] wrote: > add 10510 allow icmp from any to any out via oif() keep-state I don't think ICMP is stateful :) You need both in and out rules for ICMP because the logical responses to packets can't be reliably connected into a single communication. signature.asc Description: OpenPGP digital signature