Re: ICMP record route

Hi Alain,
Yes, It works, when I add specific rule it works, or when I disable PF then the record route ICMP packets gets forwarded. Thanks a lot.

Now these are the things I found:

If I put these rules it does not forward packets.

	pass in all allow-opts
	pass out all allow-opts

If I put the following it forwards:
	pass in proto icmp all allow-opts
	pass out proto icmp all allow-opts

My typical scenario is to allow requests go out and replies to come in. No block rules for traffic from trusted side (private) to come in to the forwarder, no block rules going out the public interface either. Block all rules coming in on untrusted interface (public).

But looks like keep state is not much of use here:

        pass out proto icmp all keep state allow-opts

The above does not work, since the default behavior is to block on all interfaces. I have to add an explicit rule to let the request packet come in first i.e. "pass in on fxp1 proto icmp all allow-opts".

Cosidering the above scenario for allowing normal ICMP packets to go thru one would need only one rule:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek

        pass out proto icmp all keep state

We need to add two rule if options are set, then is keep-state with allow-opts doing its job?

If it is an issue I have helped to bring it to OpenBSD's attention otherwise pls. ignore my ignorance.

--Gopu

-----Original Message-----
From: Alain Deschamps [mailto:obsd-tech@alain.deschamps.name] Sent: Saturday, August 02, 2003 1:04 AM
To: tech@openbsd.org
Subject: Re: ICMP record route

On Fri, 1 Aug 2003 15:35:35 -0600, you wrote:

>I feel the OpenBSD is responding fine, but the main problem I have is

By default IP options are dropped by pf. Search allow-opts in man pf.conf

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek

AD

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (
http://www.grisoft.com).
Version: 6.0.505 / Virus Database: 302 - Release Date: 7/30/2003