Date: Tue, 17 Jul 2001 15:18:35 -0300 (ART) From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> To: Mark Livingstone <mlivingstone@ottawa.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: how could this PACKET get through?! Message-ID: <20010717151034.C96585-100000@cactus.fi.uba.ar> In-Reply-To: <200107171815.OAA19997@mail.ottawa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 17 Jul 2001, Mark Livingstone wrote: [snip] > > pass in log quick on ed0 proto icmp from any to any icmp-type 0 > pass in log quick on ed0 proto icmp from any to any icmp-type unreach code 3 > pass in log quick on ed0 proto icmp from any to any icmp-type unreach code 4 > pass in log quick on ed0 proto icmp from any to any icmp-type timex ^^^^^^^^ Here is: you allow incomming icmp time exeeded, and log it. The packet you received was a time exeeded in transit (11/0). Those seem the rules to make traceroute work. If you keep state on outgoing udp packets you won't need them, the state code can tell icmp packets which are responses to outgoing packets from icmp packets which aren't (because an icmp error has the first bytes of the packet which caused it). Fer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010717151034.C96585-100000>