Date: Wed, 12 Feb 2003 00:13:55 +0200 From: Willie Viljoen <will@unfoldings.net> To: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 bug? Message-ID: <200302120013.55241.will@unfoldings.net> In-Reply-To: <20030211195112.GA36140@graf.priv.at> References: <web-24345945@mail.agtel.net> <20030211195112.GA36140@graf.priv.at>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 11 February 2003 21:51, Georg Graf wrote: > On Mon, Feb 10, 2003 at 09:47:33PM +0300, Andy Jema wrote: > > I try to use the folowing ruleset: > > > > ipfw add check-state > > > > ipfw add allow tcp from me to any keep-state out via fxp0 > > setup > > ipfw add allow udp from me to any keep-state out via fxp0 > > ipfw add allow icmp from me to any keep-state out via fxp0 > > > > ipfw add 65435 deny log ip from any to any > > > > but in attempt of tracerouting of any external host i'm > > getting the denying message in log > > Feb 11 21:25:04 nss1 /ns1: ipfw: 65435 Deny ICMP:11.0 > > <external host> <my host> in via fxp0 > > Your setup installs udp dynamic allow rules, but you keep blocking > the icmp ttl exceeded messages from the routers resp. the icmp port > closed messages from the host you traceroute. > > > At the same time when i use the common rule like > > > > ipfw check-state > > ipfw add allow ip from me to any keep-state out via fxp0 > > > > all works fine > > I dont believe that resp. cannot reproduce it on a 4.7-RELEASE-p4 > box. I guess you have an icmp allow rule somewhere left. > > George You want this rule: ipfw add allow icmp from any to any icmptypes 0,3,4,8,11,12,13,14 You can take out 4 if you do not want source quench (most people don't need it), and you can remove 8 if you do not want your host to be externally pingable, but the rest are absolutely needed, for outgoing traceroutes, ICMP error messages, path MTU discovery, etc. The reason the internet is so slow nowadays is because people block these, and they are *REALLY* needed. For more information, you can read the firewall(7) man page. Will -- Willie Viljoen Freelance IT Consultant 214 Paul Kruger Avenue, Universitas Bloemfontein 9321 South Africa +27 51 522 15 60 +27 51 522 44 36 (after hours) +27 82 404 03 27 (mobile) will@unfoldings.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302120013.55241.will>