Date: Wed, 31 Oct 2007 12:55:00 -0700 From: freebsd@dreamchaser.org To: Dan Nelson <dnelson@allantgroup.com> Cc: Ivan Voras <ivoras@freebsd.org>, freebsd-questions@freebsd.org Subject: Re: ipfw -- why need to let icmp out that I already let in? Message-ID: <4728DD94.1050905@dreamchaser.org> In-Reply-To: <20071031052845.GC3109@dan.emsphone.com> References: <47255D54.40700@dreamchaser.org> <fg8d4b$vak$2@ger.gmane.org> <20071031052845.GC3109@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Are you sure you don't have some other rule which is letting those returned packets out the other port? When I substitute your rule for my two: ipfw delete 10531 ipfw delete 10532 ipfw add 10531 allow icmp from any to any icmptypes 0,3,11,12 in The returning packets are dropped inside the firewall. (traceroute still works from the firewall itself, but not from an internal machine). Gary Dan Nelson wrote: > In the last episode (Oct 31), Ivan Voras said: >> freebsd@dreamchaser.org wrote: >> >>> add 10510 allow icmp from any to any out via oif() keep-state >> I don't think ICMP is stateful :) >> >> You need both in and out rules for ICMP because the logical responses >> to packets can't be reliably connected into a single communication. > > I use "allow icmp from any to any icmptypes 0,3,11,12 in" > > those types being "echo reply", "destination unreachable", > "time-to-live exceeded", and "IP header bad". >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4728DD94.1050905>