ipfw: question about keep-state on icmp
Geert Hendrickx
geert.hendrickx at ua.ac.be
Sun Jun 13 05:45:05 PDT 2004
Hi,
this is a fragment of my ipfw-config which should allow me to ping
others, but not allow others to ping me:
00092 allow icmp from me to any keep-state
65535 deny ip from any to any
Indeed, other hosts can't ping me... UNLESS I am pinging them at the
same time! This is of course a result of keeping the state of icmp-
traffic between these two hosts, and I can avoid this by changing it to:
00091 deny icmp from any to me icmptype 8 <-- deny ping request to me
00092 allow icmp from me to any keep-state
(icmptype 8 = ping request)
But then I don't see the use for keep-state in 00092 anymore... The
following seems equally valid to me:
00091 allow icmp from me to any
00092 allow icmp from any to me icmptype 0 <-- allow ping reply to me
So what am I missing?
And are errors as in the first example also possible with
tcp-connections, e.g. ssh?
GH
More information about the freebsd-questions
mailing list