From owner-freebsd-hackers  Tue Jun  9 08:50:42 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA23878
          for freebsd-hackers-outgoing; Tue, 9 Jun 1998 08:50:42 -0700 (PDT)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA23628
          for <hackers@freebsd.org>; Tue, 9 Jun 1998 08:49:43 -0700 (PDT)
          (envelope-from julian@whistle.com)
Received: (from daemon@localhost)
	by alpo.whistle.com (8.8.5/8.8.5) id IAA04291;
	Tue, 9 Jun 1998 08:37:25 -0700 (PDT)
Received: from current1.whistle.com(207.76.205.22)
 via SMTP by alpo.whistle.com, id smtpd004289; Tue Jun  9 15:37:22 1998
Date: Tue, 9 Jun 1998 08:37:18 -0700 (PDT)
From: Julian Elischer <julian@whistle.com>
To: Darren Reed <avalon@coombs.anu.edu.au>
cc: Tom Torrance <freebsd@tomqnx.com>, hackers@FreeBSD.ORG
Subject: Re: IPFW problem?
In-Reply-To: <199806091249.FAA10960@hub.freebsd.org>
Message-ID: <Pine.BSF.3.95.980609083607.26256B-100000@current1.whistle.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

IPFW relies on a separate module (libnat) to keep track of stateful
sessions.
you could add code to libnat to do what you want

julian


On Tue, 9 Jun 1998, Darren Reed wrote:

> In some mail from Tom Torrance, sie said:
> > 
> > The sample file to the contrary, it appears that ipfw will not
> > allow the "established" keyword for the "allow icmp" case.
> > 
> > Is this a misunderstanding on my part or a genuine fault"?
> > 
> > Is there another way to allow ICMP only as part of the TCP protocol?
> 
> No.
> 
> Not even IP Filter does this (yet).  It does for NAT (that is ICMP
> headers packets are checked for relevance to an active NAT mapping)
> and is on my TODO list for "keep state" 'connections'  too.  You've
> got several problems here, if you want to do it for ipfw, the first
> being it has no concept of what "sessions" are currently in progress
> across/through the firewall (whereas IP Filter can).
> 
> Darren
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message