Date: Sun, 14 Oct 2001 20:00:34 +0200 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= <rguyom@pobox.com> To: freebsd-stable@FreeBSD.ORG Subject: Re: IPFW or IPFILTER? Message-ID: <20011014200034.B93723@diabolic-cow.chatgris.net> In-Reply-To: <200110141616.f9EGG5x37636@lurza.secnetix.de>; from olli@secnetix.de on Sun, Oct 14, 2001 at 06:16:05PM %2B0200 References: <20011014180756.A17546@adv.devet.org> <200110141616.f9EGG5x37636@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 14, 2001 at 06:16:05PM +0200, Oliver Fromme wrote: > Arjan de Vet <devet@devet.org> wrote: > > > > IIRC ipfilter does not allow '_any_ ICMP' in such a case: if you send an > > 'ICMP echo' with keep-state then only 'ICMP echo reply' packets will be > > allowed to pass through. > > That's bad, because you usually want to see other types of > ICMP replies, too, such as TTL exceeded, host unreachable, > communication prohibited etc. Yes, this is exactly how ipfilter works. "keep state" will let properly formated icmp errors pass through, the underlying protocol being tcp, udp or icmp. -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011014200034.B93723>