From owner-freebsd-questions@FreeBSD.ORG Wed Oct 31 10:26:56 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF3D016A41A for ; Wed, 31 Oct 2007 10:26:56 +0000 (UTC) (envelope-from nino80@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.191]) by mx1.freebsd.org (Postfix) with ESMTP id 50CC213C48E for ; Wed, 31 Oct 2007 10:26:56 +0000 (UTC) (envelope-from nino80@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so84182rvb for ; Wed, 31 Oct 2007 03:26:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=f1ACO1mfrLZRWKrWxv6B4UT1R1ZZ5Ja+oIrhY7GcGyg=; b=caCRiseJrBm1lH+UomMAVCCps2rX9qbqql33MLTr2hw4l0CH0pYeIzc9w/SjGpeE58nezQ0pQJJarO3BJs9R4koEXsRHMabCJgcpjqjcTmLtBGvrpRMeNm5PYKEFassUDDrw2GyDyFrNP5A/5iafSWjKPETdP8VhvlBqrUs4Rw0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nBH1pxpRwohAyIGL84EziRlUQuBlA0SE7DEIOVoPcSnToGVoETpV9vqmbT7tW8H7ZKkuUCMVCQ+hqHK6hlxcTd22jFuduZueMeIaj3BCJc0KR1OpzhfG19+o56yjLmFsJTq2d6mLvyM8d3b1ladmgIG/KuV7iuciGvzIAMxvbKQ= Received: by 10.141.87.13 with SMTP id p13mr3845756rvl.1193824737055; Wed, 31 Oct 2007 02:58:57 -0700 (PDT) Received: by 10.141.18.7 with HTTP; Wed, 31 Oct 2007 02:58:57 -0700 (PDT) Message-ID: <92bcbda50710310258p1a460a67v1f3f9dca292e4de1@mail.gmail.com> Date: Wed, 31 Oct 2007 10:58:57 +0100 From: "n j" To: "Ivan Voras" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <47255D54.40700@dreamchaser.org> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw -- why need to let icmp out that I already let in? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Oct 2007 10:26:57 -0000 > > add 10510 allow icmp from any to any out via oif() keep-state > > I don't think ICMP is stateful :) > > You need both in and out rules for ICMP because the logical responses to > packets can't be reliably connected into a single communication. Actually, I disagree. True, ICMP is not a stateful protocol; however, keep-state directive works for ICMP as well: ipfw add 99 allow icmp from me to 192.168.1.1 keep-state on "ping 192.168.1.1" creates the following dynamic rule: 00099 7 588 (5s) STATE icmp 192.168.1.2 0 <-> 192.168.1.1 0 On a side note, the validity interval of this rule is controlled by net.inet.ip.fw.dyn_short_lifetime sysctl variable and is in the above case set to 5 seconds (default is 30). Regards, -- Nino