Date: Wed, 31 Oct 2007 10:58:57 +0100 From: "n j" <nino80@gmail.com> To: "Ivan Voras" <ivoras@freebsd.org> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw -- why need to let icmp out that I already let in? Message-ID: <92bcbda50710310258p1a460a67v1f3f9dca292e4de1@mail.gmail.com> In-Reply-To: <fg8d4b$vak$2@ger.gmane.org> References: <47255D54.40700@dreamchaser.org> <fg8d4b$vak$2@ger.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > add 10510 allow icmp from any to any out via oif() keep-state > > I don't think ICMP is stateful :) > > You need both in and out rules for ICMP because the logical responses to > packets can't be reliably connected into a single communication. Actually, I disagree. True, ICMP is not a stateful protocol; however, keep-state directive works for ICMP as well: ipfw add 99 allow icmp from me to 192.168.1.1 keep-state on "ping 192.168.1.1" creates the following dynamic rule: 00099 7 588 (5s) STATE icmp 192.168.1.2 0 <-> 192.168.1.1 0 On a side note, the validity interval of this rule is controlled by net.inet.ip.fw.dyn_short_lifetime sysctl variable and is in the above case set to 5 seconds (default is 30). Regards, -- Nino
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?92bcbda50710310258p1a460a67v1f3f9dca292e4de1>