icmp-type echoreq not matching resulting ttl exceeded
Ermal Luçi
eri at freebsd.org
Fri Nov 29 13:13:03 UTC 2013
On Fri, Nov 29, 2013 at 1:28 PM, Ian FREISLICH <ianf at clue.co.za> wrote:
> Hi
>
> At some point this stopped working. I was able to use traceroute -I
> This rule let the echo request out and the resulting TTL exceeded
> was matched and allowed back in.
>
>
Which freeBSD version you are testing this?
Normally it should just work unless the reply src ip is different from your
sent dstip.
> pass out inet proto icmp from <ournets> to any icmp-type echoreq
I've had to change the rule to the following to keep traceroute going:
>
> pass out inet proto icmp from <ournets> to any
>
> Ian
>
> --
> Ian Freislich
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
--
Ermal
More information about the freebsd-pf
mailing list