Date: Wed, 28 Jun 2000 10:03:02 -0300 (GMT) From: Fernando Schapachnik <fpscha@ns1.via-net-works.net.ar> To: hart@iserver.com (Paul Hart) Cc: insane@lunatic.oneinsane.net, freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions Message-ID: <200006281303.KAA02473@ns1.via-net-works.net.ar> In-Reply-To: <Pine.BSF.4.21.0006271215230.29364-100000@anchovy.orem.iserver.com> from Paul Hart at "Jun 27, 0 12:22:09 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
En un mensaje anterior, Paul Hart escribió: > On Tue, 27 Jun 2000, Ron 'The InSaNe One' Rosson wrote: > block in on fxp0 > pass out quick on fxp0 proto tcp from any to any keep state > pass out quick on fxp0 proto udp from any to any keep state > pass out quick on fxp0 proto icmp from any to any keep state You will also need (al least in 3.4-RELEASE): pass in quick on fxp0 proto icmp from any to any icmp-type 11 to let traceroute work. This is because when a traceroute packet goes to the destination an state entry is created which lets packet from the destination come back. The problem is, intermediate machines responde, and there's no state entry for them in the table (this was gently pointed out to me a fews ago on this same list). Good luck! Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006281303.KAA02473>