From owner-freebsd-stable Sun Oct 14 11:16:29 2001 Delivered-To: freebsd-stable@freebsd.org Received: from smtp2.cluster.oleane.net (smtp2.cluster.oleane.net [195.25.12.17]) by hub.freebsd.org (Postfix) with ESMTP id 536D537B408 for ; Sun, 14 Oct 2001 11:16:24 -0700 (PDT) Received: from diabolic-cow.chatgris.net (c2ce77f8.fsp.oleane.fr [194.206.119.248]) by smtp2.cluster.oleane.net with ESMTP id f9EIGLE51070 for ; Sun, 14 Oct 2001 20:16:22 +0200 (CEST) Received: by diabolic-cow.chatgris.net (Postfix, from userid 1000) id AC7071D4; Sun, 14 Oct 2001 20:00:34 +0200 (CEST) Date: Sun, 14 Oct 2001 20:00:34 +0200 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= To: freebsd-stable@FreeBSD.ORG Subject: Re: IPFW or IPFILTER? Message-ID: <20011014200034.B93723@diabolic-cow.chatgris.net> References: <20011014180756.A17546@adv.devet.org> <200110141616.f9EGG5x37636@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <200110141616.f9EGG5x37636@lurza.secnetix.de>; from olli@secnetix.de on Sun, Oct 14, 2001 at 06:16:05PM +0200 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Oct 14, 2001 at 06:16:05PM +0200, Oliver Fromme wrote: > Arjan de Vet wrote: > > > > IIRC ipfilter does not allow '_any_ ICMP' in such a case: if you send an > > 'ICMP echo' with keep-state then only 'ICMP echo reply' packets will be > > allowed to pass through. > > That's bad, because you usually want to see other types of > ICMP replies, too, such as TTL exceeded, host unreachable, > communication prohibited etc. Yes, this is exactly how ipfilter works. "keep state" will let properly formated icmp errors pass through, the underlying protocol being tcp, udp or icmp. -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message