question concerned with dynamic rules
Orla McGann
orly at cnri.dit.ie
Mon May 30 07:19:33 PDT 2005
On Mon, May 30, 2005 at 04:30:19PM +0300, Igor Popov wrote:
> Hi all,
> I have a question concerned with dynamic rules, say I have such rules:
> ipfw check-state
> ipfw allow udp from me to any out keep-state
>
> if ttl of my packet will be zero on some router in path, it sends me icmp
> error message ttl exceeded. Does last rule create dynamic rule that permit
> icmp error message? My experience with traceroute shows that a such rule is
> not created.
>
> But with such rules:
> ipfw check-state
> ipfw allow udp from me to any out keep-state
> ipfw allow icmp from any to me icmptype 3,4,11,12 in
> traceroute works.
I don't think IPFW2 has the "related" and "reply" functionality that exists
in Netfilter; where packets related to a dynamic connection are also passed
through the filter, such as icmp packets. So you need to explicitly add rules
allowing these icmptypes.
Regards,
Orla
--
Give a man a fish; you have fed him for today.
Teach a man to use the Net and he won't bother you for weeks.
More information about the freebsd-ipfw
mailing list