ipfw: question about keep-state on icmp

[JJB]

I think if you read closely you will find out the keep-state option
does not work on the icmp protocol because icmp is stateless
protocol.  This does not mean that ipfw will give coding error if
you code it.

You have to have an icmp stateless rule to allow it out and another
to allow it in.

allow icmp from me to any out  via xl0

allow icmp from any to me icmptype 0   in  via xl0


-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Geert
Hendrickx
Sent: Sunday, June 13, 2004 7:23 AM
To: freebsd-questions at freebsd.org
Subject: ipfw: question about keep-state on icmp

Hi,

this is a fragment of my ipfw-config which should allow me to ping
others, but not allow others to ping me:

00092 allow icmp from me to any keep-state
65535 deny ip from any to any

Indeed, other hosts can't ping me... UNLESS I am pinging them at the
same time!  This is of course a result of keeping the state of icmp-
traffic between these two hosts, and I can avoid this by changing it
to:

00091 deny icmp from any to me icmptype 8    <-- deny ping request
to me
00092 allow icmp from me to any keep-state

(icmptype 8 = ping request)

But then I don't see the use for keep-state in 00092 anymore...  The
following seems equally valid to me:

00091 allow icmp from me to any
00092 allow icmp from any to me icmptype 0   <-- allow ping reply to
me

So what am I missing?

And are errors as in the first example also possible with
tcp-connections, e.g. ssh?

GH
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"