From owner-freebsd-hackers Tue Jun 9 05:49:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA11048 for freebsd-hackers-outgoing; Tue, 9 Jun 1998 05:49:44 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from cheops.anu.edu.au (daemon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA10960 for ; Tue, 9 Jun 1998 05:49:36 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199806091249.FAA10960@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA265550751; Tue, 9 Jun 1998 21:12:32 +1000 From: Darren Reed Subject: Re: IPFW problem? To: freebsd@tomqnx.com (Tom Torrance) Date: Tue, 9 Jun 1998 21:12:31 +1000 (EST) Cc: hackers@FreeBSD.ORG In-Reply-To: from "Tom Torrance" at Jun 9, 98 04:12:22 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In some mail from Tom Torrance, sie said: > > The sample file to the contrary, it appears that ipfw will not > allow the "established" keyword for the "allow icmp" case. > > Is this a misunderstanding on my part or a genuine fault"? > > Is there another way to allow ICMP only as part of the TCP protocol? No. Not even IP Filter does this (yet). It does for NAT (that is ICMP headers packets are checked for relevance to an active NAT mapping) and is on my TODO list for "keep state" 'connections' too. You've got several problems here, if you want to do it for ipfw, the first being it has no concept of what "sessions" are currently in progress across/through the firewall (whereas IP Filter can). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message