[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OT] icmp timeouts

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: [OT] icmp timeouts
From: Kenton Brede <xyf_(_at_)_nixnotes_(_dot_)_org>
Date: Wed, 28 May 2003 22:48:54 -0500
Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org

I'm trying to set up my firewalls to be a good net citizen.  I set up
the following rules:

pass in quick on $ei inet proto icmp all icmp-type 8 code 0 keep state
pass in quick on $ei inet proto icmp all icmp-type 3 keep state
pass in quick on $ei inet proto icmp all icmp-type 11 keep state

I did a test by pointing my browser to the external interface ($ei) on
the firewall which isn't running any web services.  Using Phoenix I get
an "operation timed out" after about 35 seconds.  With Netscape it
hangs for a good couple minutes and then responds with, "no response."

Now according to the RFC ICMP type 3 code 3 should be responding with a
"port unreachable" signal.  I would think that would happen before the
my browsers are timing out.  

When I drop my firewall the response I get back from both browsers is
immediate and "refused by server."

What am I doing wrong with my rules to cause these long timeouts?
Thanks,
kent

-- 
"I am always doing that which I can not do, 
   in order that I may learn how to do it." --Pablo Picasso

Prev by Date: Re: what is openbsd's 'best' supported raid1 ata adapter?
Next by Date: set block-policy return
Previous by thread: Re: what is openbsd's 'best' supported raid1 ata adapter?
Next by thread: set block-policy return
Index(es):
- Date
- Thread

Visit your host, monkey.org