IP packet with options
Nikos Vassiliadis
nvass at teledomenet.gr
Thu Nov 8 02:11:59 PST 2007
On Wednesday 07 November 2007 18:04:48 Malcolm Clarke wrote:
> I have configured a machine with 2 NIC and IPFW in a rather simplistic
> way as we are using it to emulate different link characteristics rather
> than as an actual firewall.
>
> 00100 4 355 pipe 1 ip from any to any via de0 in
> 00200 1 56 pipe 2 ip from any to any via de0 out
> 00300 0 0 pipe 3 ip from any to any via de1 in
> 00400 3 288 pipe 4 ip from any to any via de1 out
> 65535 4 246 deny ip from any to
> any
>
> The configuration works fine and traffic crosses the firewall without
> problem, except ICMP packets having timestamp or routing option, and
> these are not returned.
>
> Is there a way to allow these packets to enter/exit the firewall?
You have to explicitly enable processing of source routed
packets. Forwarding such packets is denied by default.
Use "sysctl net.inet.ip.sourceroute=1". Timestamp requests
are forwarded by default as far as I know.
HTH, Nikos
More information about the freebsd-questions
mailing list