SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-18-2008, 06:31 AM
| ||||
| ||||
 Re: ICMP record route Hi Alain, Yes, It works, when I add specific rule it works, or when I disable PF then the record route ICMP packets gets forwarded. Thanks a lot. Now these are the things I found: If I put these rules it does not forward packets. pass in all allow-opts pass out all allow-opts If I put the following it forwards: pass in proto icmp all allow-opts pass out proto icmp all allow-opts My typical scenario is to allow requests go out and replies to come in. No block rules for traffic from trusted side (private) to come in to the forwarder, no block rules going out the public interface either. Block all rules coming in on untrusted interface (public). But looks like keep state is not much of use here: pass out proto icmp all keep state allow-opts The above does not work, since the default behavior is to block on all interfaces. I have to add an explicit rule to let the request packet come in first i.e. "pass in on fxp1 proto icmp all allow-opts". Cosidering the above scenario for allowing normal ICMP packets to go thru one would need only one rule: pass out proto icmp all keep state We need to add two rule if options are set, then is keep-state with allow-opts doing its job? If it is an issue I have helped to bring it to OpenBSD's attention otherwise pls. ignore my ignorance. --Gopu -----Original Message----- From: Alain Deschamps [mailto  bsd-tech@alain.deschamps.name]Sent: Saturday, August 02, 2003 1:04 AM To: tech@openbsd.org Subject: Re: ICMP record route On Fri, 1 Aug 2003 15:35:35 -0600, you wrote: >I feel the OpenBSD is responding fine, but the main problem I have is >that it does not forward ICMP packets with the record route options >set. I have verified that with my system (OpenBSD 3.2 stable). > >--Gopu > >-----Original Message----- >From: Federico G. Schwindt [mailto:fgsch@lodoss.net] >Sent: Friday, August 01, 2003 2:01 PM >To: Pillai, Gopakumar (Gopu) >Cc: tech@openbsd.org >Subject: Re: ICMP record route > > >On Fri, Aug 01, 2003 at 02:26:40PM -0600, Pillai, Gopakumar (Gopu) >wrote: >> I am running OpenBSD 3.2 stable. I found that it does not reply to >> ICMP requests with record route option (tested with "ping -R" >> command). >> >> More than that, when I setup my OpenBSD box to forward packets >> between > >> interfaces, it does not forward ICMP record route packets. >> >> Is this a bug or is it disabled by default in the system? >> >> If disabled, how can I enable it. >> >> Couldn't find any help on this subject hence bugging you all >> >> Thanks in advance > > it works fine for me in -current, don't remember 3.2, tho. this > belongs to misc anyway. > >PING 192.168.1.1 (192.168.1.1): 56 data bytes >64 bytes from 192.168.1.1: icmp_seq=0 ttl=63 time=0.798 ms >RR: 192.168.1.14 > 192.168.1.1 > 192.168.1.1 > 10.10.1.1 > xx.xx.xx (xx.xx.xx.xx) >64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=0.554 ms (same >route) >64 bytes from 192.168.1.1: icmp_seq=2 ttl=63 time=0.504 ms (same >route) >--- 192.168.1.1 ping statistics --- > > f.- By default IP options are dropped by pf. Search allow-opts in man pf.conf AD --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.505 / Virus Database: 302 - Release Date: 7/30/2003      |
Linear Mode
