Date: Mon, 30 May 2005 15:19:30 +0100 From: Orla McGann <orly@cnri.dit.ie> To: Igor Popov <igorpopov@newmail.ru> Cc: ipfw@freebsd.org Subject: Re: question concerned with dynamic rules Message-ID: <20050530151930.G50686@kac.cnri.dit.ie> In-Reply-To: <200505301630.21484.igorpopov@newmail.ru> References: <200505301630.21484.igorpopov@newmail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 30, 2005 at 04:30:19PM +0300, Igor Popov wrote:
> Hi all,
> I have a question concerned with dynamic rules, say I have such rules:
> ipfw check-state
> ipfw allow udp from me to any out keep-state
>
> if ttl of my packet will be zero on some router in path, it sends me icmp
> error message ttl exceeded. Does last rule create dynamic rule that permit
> icmp error message? My experience with traceroute shows that a such rule is
> not created.
>
> But with such rules:
> ipfw check-state
> ipfw allow udp from me to any out keep-state
> ipfw allow icmp from any to me icmptype 3,4,11,12 in
> traceroute works.
I don't think IPFW2 has the "related" and "reply" functionality that exists
in Netfilter; where packets related to a dynamic connection are also passed
through the filter, such as icmp packets. So you need to explicitly add rules
allowing these icmptypes.
Regards,
Orla
--
Give a man a fish; you have fed him for today.
Teach a man to use the Net and he won't bother you for weeks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050530151930.G50686>