Date: Thu, 2 Aug 2001 20:21:18 +0200 From: "Dennis Berger" <HypnotiZer@gmx.net> To: "Peter Pentchev" <roam@orbitel.bg> Cc: <freebsd-hackers@freebsd.org> Subject: Re: keep-state rule for icmp, really stateful ??? Message-ID: <000a01c11b7f$ec5a4520$650110ac@nachpolierer> References: <000801c11b66$f57452e0$650110ac@nachpolierer> <20010802202618.A11105@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry I missed something ... forget ----- Original Message ----- From: "Peter Pentchev" <roam@orbitel.bg> To: "Dennis Berger" <HypnotiZer@gmx.net> Cc: <freebsd-hackers@freebsd.org> Sent: Thursday, August 02, 2001 7:26 PM Subject: Re: keep-state rule for icmp, really stateful ??? > On Thu, Aug 02, 2001 at 05:22:36PM +0200, Dennis Berger wrote: > > Hi > > I have the following rule allowing traceroute and ping to my server. > > "200 allow icmp from any to any keep-state in recv tun0 icmptype 8" > > Now I would assume that this rule generate two dynamic rules back. > > The fire one is a rule that initiates ping to work properly it's just a dynamic ICMP rule > > 00200 2623 220332 (T 30, # 43) ty 0 icmp, 134.100.58.115 0 <-> 213.23.32.88 0 > > and the second that the traceroute UDP taffic from port 33434-33960 can pass in. > > But what happans ... the rule 200 doesn't open a second dynamic rule to allow udp traffic to specific ports back in, the traceroute UDP traffic will be blocked. To keep the icmp packetfiltering stateful it would be nice to implement this clean. Or maybe it is already implemented in CURRENT tree. What's the current state ? > > Errrr.. maybe it's just me, but I just can't see how a rule that says > 'allow icmp' should allow UDP traffic to pass through.. > Maybe you haven't shown us all the rules? (And I don't necessarily > mean 'all the rules pertaining to icmp and traceroute'.. it might > as well be that some other rule, which you do not consider relevant, > is blocking your traceroute packets.) > > G'luck, > Peter > > -- > I am jealous of the first word in this sentence. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000a01c11b7f$ec5a4520$650110ac>