|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: IPFilter question
From: Fernando Gleiser (fgleiser
cactus.fi.uba.ar)Date: Thu Jun 08 2000 - 12:49:10 CDT
- Next message: Matthew B. Henniges: "RE: FreeBSDDEATH.c.txt (mmap dirty page no check bug)"
- Previous message: Cy Schubert - ITSD Open Systems Group: "Re: FreeBSDDEATH.c.txt (mmap dirty page no check bug)"
- In reply to: Fernando Schapachnik: "IPFilter question"
- Reply: Fernando Gleiser: "Re: IPFilter question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 7 Jun 2000, Fernando Schapachnik wrote:
> Hi:
> I've read the ipf-howto whose URL was published in the list a
> few month ago and used it to construt a FW. Everything was fine except
> for:
>
> Using keep state with icmp doesn't allow traceroutes. The
> solution I found was to let icmp types 0 and 11 in. Is this supposed
> to work this way or I misconfigured something? Shouldn't `keep state' be
> enough to let traceroute work?
You don't need to allow icmp type 0. It is covered by the keep state.
You also need to allow incoming ICMP type 3 (unreachable) codes 0, 1, 3,
9, 10 and 13 for traceroute to work properly. You also need to allow
ICMP type 3 code 4 (unreachable: need to frag) for path MTU discovery to work.
If you have further questions, mail me privately and I'll give you my
phone number (I live in Bs As also).
Fer
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Matthew B. Henniges: "RE: FreeBSDDEATH.c.txt (mmap dirty page no check bug)"
- Previous message: Cy Schubert - ITSD Open Systems Group: "Re: FreeBSDDEATH.c.txt (mmap dirty page no check bug)"
- In reply to: Fernando Schapachnik: "IPFilter question"
- Reply: Fernando Gleiser: "Re: IPFilter question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]