Date: Thu, 8 Jun 2000 17:49:10 +0000 (GMT) From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> To: Fernando Schapachnik <fpscha@via-net-works.net.ar> Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFilter question Message-ID: <Pine.BSF.4.21.0006081740020.25947-100000@cactus.fi.uba.ar> In-Reply-To: <200006071452.LAA16205@ns1.via-net-works.net.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 7 Jun 2000, Fernando Schapachnik wrote: > Hi: > I've read the ipf-howto whose URL was published in the list a > few month ago and used it to construt a FW. Everything was fine except > for: > > Using keep state with icmp doesn't allow traceroutes. The > solution I found was to let icmp types 0 and 11 in. Is this supposed > to work this way or I misconfigured something? Shouldn't `keep state' be > enough to let traceroute work? You don't need to allow icmp type 0. It is covered by the keep state. You also need to allow incoming ICMP type 3 (unreachable) codes 0, 1, 3, 9, 10 and 13 for traceroute to work properly. You also need to allow ICMP type 3 code 4 (unreachable: need to frag) for path MTU discovery to work. If you have further questions, mail me privately and I'll give you my phone number (I live in Bs As also). Fer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0006081740020.25947-100000>