Date: Tue, 11 Feb 2003 20:51:12 +0100 From: Georg Graf <georg-ipfw@graf.priv.at> To: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 bug? Message-ID: <20030211195112.GA36140@graf.priv.at> In-Reply-To: <web-24345945@mail.agtel.net> References: <web-24345945@mail.agtel.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Feb 10, 2003 at 09:47:33PM +0300, Andy Jema wrote: > I try to use the folowing ruleset: > > ipfw add check-state > > ipfw add allow tcp from me to any keep-state out via fxp0 > setup > ipfw add allow udp from me to any keep-state out via fxp0 > ipfw add allow icmp from me to any keep-state out via fxp0 > > ipfw add 65435 deny log ip from any to any > > but in attempt of tracerouting of any external host i'm > getting the denying message in log > Feb 11 21:25:04 nss1 /ns1: ipfw: 65435 Deny ICMP:11.0 > <external host> <my host> in via fxp0 Your setup installs udp dynamic allow rules, but you keep blocking the icmp ttl exceeded messages from the routers resp. the icmp port closed messages from the host you traceroute. > At the same time when i use the common rule like > > ipfw check-state > ipfw add allow ip from me to any keep-state out via fxp0 > > all works fine I dont believe that resp. cannot reproduce it on a 4.7-RELEASE-p4 box. I guess you have an icmp allow rule somewhere left. George -- Georg Graf http://georg.graf.priv.at/ PGP Key ID: 0xA5232AD5 Gobergasse 43/2 A-1130 Wien Tel: +43 1 8796723 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030211195112.GA36140>