Date: Fri, 4 Jul 2003 04:10:20 -0700 (PDT) From: Maxim Konovalov <maxim@macomnet.ru> To: ipfw@FreeBSD.org Subject: Re: kern/51341 (fwd) Message-ID: <200307041110.h64BAKju006786@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/51341; it has been noted by GNATS. From: Maxim Konovalov <maxim@macomnet.ru> To: bug-followup@freebsd.org Cc: Subject: Re: kern/51341 (fwd) Date: Fri, 4 Jul 2003 15:09:15 +0400 (MSD) ---------- Forwarded message ---------- Date: Fri, 4 Jul 2003 13:47:56 +0300 From: Andrey Lakhno <land@dnepr.net> To: Maxim Konovalov <maxim@macomnet.ru> Subject: Re: kern/51341 Hello, On Thu, 03 Jul 2003, Maxim Konovalov wrote: > Here is another workaround: add a following rule before any icmp deny > rules: > > ipfw add pass icmp from any to any frag > > I would like to describe the problem in two words. Please consider a > next rule: > > deny icmp from any to any icmptype 5 > > Consider we get an icmp fragment. In fact, it does not consist > information about its type and due to the discussed bug ipfw1 will > terminate the search and drop it. ipfw2 behaviour is different: if we > do not know about icmp type of the packet do not terminate the search > and check the packet against next rule. > > At the moment I really do not want to fix this bug because it changes > a filtering policy and may have a negative effect to countless > installations. > > Please let me know if you are satisfied with my explanation and I can > close the PR. I think this bug should be decribed in ipfw(8) or fixed. -- Andrey Lakhno, land-ripe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307041110.h64BAKju006786>