Date: Sun, 13 Jun 2004 13:22:47 +0200 From: Geert Hendrickx <geert.hendrickx@ua.ac.be> To: freebsd-questions@freebsd.org Subject: ipfw: question about keep-state on icmp Message-ID: <20040613112246.GA1647@lori.mine.nu>
next in thread | raw e-mail | index | archive | help
Hi, this is a fragment of my ipfw-config which should allow me to ping others, but not allow others to ping me: 00092 allow icmp from me to any keep-state 65535 deny ip from any to any Indeed, other hosts can't ping me... UNLESS I am pinging them at the same time! This is of course a result of keeping the state of icmp- traffic between these two hosts, and I can avoid this by changing it to: 00091 deny icmp from any to me icmptype 8 <-- deny ping request to me 00092 allow icmp from me to any keep-state (icmptype 8 = ping request) But then I don't see the use for keep-state in 00092 anymore... The following seems equally valid to me: 00091 allow icmp from me to any 00092 allow icmp from any to me icmptype 0 <-- allow ping reply to me So what am I missing? And are errors as in the first example also possible with tcp-connections, e.g. ssh? GH
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040613112246.GA1647>