From owner-freebsd-questions@FreeBSD.ORG  Wed Oct 31 19:55:48 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EC00416A418
	for <freebsd-questions@freebsd.org>;
	Wed, 31 Oct 2007 19:55:48 +0000 (UTC)
	(envelope-from freebsd@dreamchaser.org)
Received: from nightmare.dreamchaser.org (12-32-44-142.static.blackfoot.net
	[12.32.44.142])
	by mx1.freebsd.org (Postfix) with ESMTP id 8C2D613C4AA
	for <freebsd-questions@freebsd.org>;
	Wed, 31 Oct 2007 19:55:48 +0000 (UTC)
	(envelope-from freebsd@dreamchaser.org)
Received: from [12.32.36.74] (freshstart.dreamchaser.org. [12.32.36.74])
	by nightmare.dreamchaser.org (8.13.6/8.13.6) with ESMTP id
	l9VJsngi014633; Wed, 31 Oct 2007 13:54:50 -0600 (MDT)
	(envelope-from freebsd@dreamchaser.org)
Message-ID: <4728DD94.1050905@dreamchaser.org>
Date: Wed, 31 Oct 2007 12:55:00 -0700
From: freebsd@dreamchaser.org
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Dan Nelson <dnelson@allantgroup.com>
References: <47255D54.40700@dreamchaser.org> <fg8d4b$vak$2@ger.gmane.org>
	<20071031052845.GC3109@dan.emsphone.com>
In-Reply-To: <20071031052845.GC3109@dan.emsphone.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2
	(nightmare.dreamchaser.org [12.32.36.65]);
	Wed, 31 Oct 2007 13:54:50 -0600 (MDT)
Cc: Ivan Voras <ivoras@freebsd.org>, freebsd-questions@freebsd.org
Subject: Re: ipfw -- why need to let icmp out that I already let in?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2007 19:55:49 -0000

Are you sure you don't have some other rule which is letting those returned 
packets out the other port?  When I substitute your rule for my two:
   ipfw delete 10531
   ipfw delete 10532
   ipfw add 10531 allow icmp from any to any icmptypes 0,3,11,12 in

The returning packets are dropped inside the firewall.  (traceroute still 
works from the firewall itself, but not from an internal machine).

Gary


Dan Nelson wrote:
> In the last episode (Oct 31), Ivan Voras said:
>> freebsd@dreamchaser.org wrote:
>>
>>> add 10510 allow icmp from any to any out via oif() keep-state
>> I don't think ICMP is stateful :)
>>
>> You need both in and out rules for ICMP because the logical responses
>> to packets can't be reliably connected into a single communication.
> 
> I use "allow icmp from any to any icmptypes 0,3,11,12 in"
> 
> those types being "echo reply", "destination unreachable",
> "time-to-live exceeded", and "IP header bad".
>