[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OT] icmp timeouts



I'm trying to set up my firewalls to be a good net citizen.  I set up
the following rules:

pass in quick on $ei inet proto icmp all icmp-type 8 code 0 keep state
pass in quick on $ei inet proto icmp all icmp-type 3 keep state
pass in quick on $ei inet proto icmp all icmp-type 11 keep state

I did a test by pointing my browser to the external interface ($ei) on
the firewall which isn't running any web services.  Using Phoenix I get
an "operation timed out" after about 35 seconds.  With Netscape it
hangs for a good couple minutes and then responds with, "no response."

Now according to the RFC ICMP type 3 code 3 should be responding with a
"port unreachable" signal.  I would think that would happen before the
my browsers are timing out.  

When I drop my firewall the response I get back from both browsers is
immediate and "refused by server."

What am I doing wrong with my rules to cause these long timeouts?
Thanks,
kent

-- 
"I am always doing that which I can not do, 
   in order that I may learn how to do it." --Pablo Picasso



Visit your host, monkey.org