SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-18-2008, 06:31 AM
| ||||
| ||||
 Re: ICMP record route On Mon, Aug 04, 2003 at 03:00:11PM -0600, Pillai, Gopakumar (Gopu) wrote: > If I put these rules it does not forward packets. > pass in all allow-opts > pass out all allow-opts > > If I put the following it forwards: > pass in proto icmp all allow-opts > pass out proto icmp all allow-opts That doesn't make sense, I suspect some other mistake in the ruleset (like a subsequent matching rule without allow-opts in the first case). The former should work just as well (since it also applies to ICMP packets), assuming these rules are indeed the last matching rules of the ruleset for all ICMP packets. pfctl -vvsr will tell you whether rules are last matching. > We need to add two rule if options are set, then is keep-state with > allow-opts doing its job? Yes, the allow-opts flag is copied from the rule to the state entry (when the rule creates state), and honoured for all packets subsequently matching the state. You'll need two state entries (one for incoming packets on the internal interface, one for outgoing packets on the external interface). Two rules like pass in on $int_if inet proto icmp all keep state allow-opts pass out on $ext_if inet proto icmp all keep state allow-opts will have that effect. And no, there's no simpler solution. IP options are rarely needed and often harmful, hence you need to know what you are doing when you want to pass them. Note that allow-opts in a state entry will allow any kind of IP option in either direction. Daniel      |
 |
« Re: FFS
|
Removable HD »
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 06:21 AM.
