Date: Thu, 2 Aug 2001 20:26:19 +0300 From: Peter Pentchev <roam@orbitel.bg> To: Dennis Berger <HypnotiZer@gmx.net> Cc: freebsd-hackers@freebsd.org Subject: Re: keep-state rule for icmp, really stateful ??? Message-ID: <20010802202618.A11105@ringworld.oblivion.bg> In-Reply-To: <000801c11b66$f57452e0$650110ac@nachpolierer>; from HypnotiZer@gmx.net on Thu, Aug 02, 2001 at 05:22:36PM %2B0200 References: <000801c11b66$f57452e0$650110ac@nachpolierer>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 02, 2001 at 05:22:36PM +0200, Dennis Berger wrote: > Hi > I have the following rule allowing traceroute and ping to my server. > "200 allow icmp from any to any keep-state in recv tun0 icmptype 8" > Now I would assume that this rule generate two dynamic rules back. > The fire one is a rule that initiates ping to work properly it's just a dynamic ICMP rule > 00200 2623 220332 (T 30, # 43) ty 0 icmp, 134.100.58.115 0 <-> 213.23.32.88 0 > and the second that the traceroute UDP taffic from port 33434-33960 can pass in. > But what happans ... the rule 200 doesn't open a second dynamic rule to allow udp traffic to specific ports back in, the traceroute UDP traffic will be blocked. To keep the icmp packetfiltering stateful it would be nice to implement this clean. Or maybe it is already implemented in CURRENT tree. What's the current state ? Errrr.. maybe it's just me, but I just can't see how a rule that says 'allow icmp' should allow UDP traffic to pass through.. Maybe you haven't shown us all the rules? (And I don't necessarily mean 'all the rules pertaining to icmp and traceroute'.. it might as well be that some other rule, which you do not consider relevant, is blocking your traceroute packets.) G'luck, Peter -- I am jealous of the first word in this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010802202618.A11105>