[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Statefull filtering of ICMP, HP-Openview
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Statefull filtering of ICMP, HP-Openview
- From: "Marcus W." <marcus_(_at_)_secretsauce_(_dot_)_org>
- Date: 28 Aug 2003 14:59:54 -0400
- Organization: Fathorse LTD.
- Reply-to: marcus_(_at_)_secretsauce_(_dot_)_org
Ah, just noticed the 'keep state' in the rules...acording to the
benzedrine site it _should_ be working without allowing the other types
required explicitly, although it was recently added in OpenBSD 3.1.
I'd still try accepting the other codes and giving it a whirl.
Cheers,
Marc W.
On Thu, 2003-08-28 at 14:41, Marcus W. wrote:
> Echo replys are type 0 code 0. You are only allowing type 8
> (echo-request) with your rules.
>
> A complete listing of icmp codes and types is available here.
> http://www.seifried.org/security/ports/icmp.txt
>
> Cheers,
> Marc W.
>
> On Thu, 2003-08-28 at 05:23, Sascha Schnitzler wrote:
> > Hi!
> >
> > I have an HP-Openview behind my transparent firewall which pings it's
> > clients every 5 minutes or so. ICMP Echo Request goes out, but Echo Reply
> > is blocked. The following rules apply:
> >
> > pass in quick on xl1 inet proto icmp all icmp-type 8 code 0 keep state
> > pass out quick on xl1 inet proto icmp all icmp-type 8 code 0 keep state
> >
> > Aug 28 13:19:53.399590 rule 3/0(match): block out on xl1: 10.0.0.2 >
> > 192.168.1.74: icmp: echo reply (id:0 seq:0) (ttl 120, id 42961)
> >
> > Rule #3 is my block-everything-rule:
> > block drop in on xl1 all
> >
> > (xl1 is the interface i'm filtering on)
> >
> > Pinging 10.0.0.2 from the Managment Server works either way, no blocked
> > icmp-packets.
> >
> > Any ideas?
> >
> > Thanks in advance,
> > sascha
Visit your host, monkey.org