ipfw -- why need to let icmp out that I already let in?
n j
nino80 at gmail.com
Wed Oct 31 03:26:57 PDT 2007
> > add 10510 allow icmp from any to any out via oif() keep-state
>
> I don't think ICMP is stateful :)
>
> You need both in and out rules for ICMP because the logical responses to
> packets can't be reliably connected into a single communication.
Actually, I disagree. True, ICMP is not a stateful protocol; however,
keep-state directive works for ICMP as well:
ipfw add 99 allow icmp from me to 192.168.1.1 keep-state
on "ping 192.168.1.1" creates the following dynamic rule:
00099 7 588 (5s) STATE icmp 192.168.1.2 0 <-> 192.168.1.1 0
On a side note, the validity interval of this rule is controlled by
net.inet.ip.fw.dyn_short_lifetime sysctl variable and is in the above
case set to 5 seconds (default is 30).
Regards,
--
Nino
More information about the freebsd-questions
mailing list