Date: Thu, 3 Jul 2003 08:00:32 -0700 (PDT) From: Maxim Konovalov <maxim@macomnet.ru> To: ipfw@FreeBSD.org Subject: Re: kern/51341 Message-ID: <200307031500.h63F0W8w054799@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/51341; it has been noted by GNATS. From: Maxim Konovalov <maxim@macomnet.ru> To: Andrey Lakhno <land@dnepr.net> Cc: bug-followup@freebsd.org, luigi@freebsd.org Subject: Re: kern/51341 Date: Thu, 3 Jul 2003 18:53:35 +0400 (MSD) Hello Andrey, Here is another workaround: add a following rule before any icmp deny rules: ipfw add pass icmp from any to any frag I would like to describe the problem in two words. Please consider a next rule: deny icmp from any to any icmptype 5 Consider we get an icmp fragment. In fact, it does not consist information about its type and due to the discussed bug ipfw1 will terminate the search and drop it. ipfw2 behaviour is different: if we do not know about icmp type of the packet do not terminate the search and check the packet against next rule. At the moment I really do not want to fix this bug because it changes a filtering policy and may have a negative effect to countless installations. Please let me know if you are satisfied with my explanation and I can close the PR. Thanks! -- Maxim Konovalov, maxim@macomnet.ru, maxim@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307031500.h63F0W8w054799>