[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf and pmtu discovery

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: pf and pmtu discovery
From: "Alexey E. Suslikov" <suslikov_(_at_)_texnika_(_dot_)_com_(_dot_)_ua>
Date: Thu, 20 Apr 2006 11:58:08 +0300

Lars Weste wrote:

with scrub in all set at the firewall, will openbsd handle icmp packets of type unreach code needfrag automatically, because of the statefulness? as far as i know, icmp packtes like port/host/network unreachable are allowed by the keep state statements, does this also apply for the need fragment codes of icmp unreachable messages?

or shall I have to add a rule to allow these packets explicitly?


citating pf.conf(5):

...

STATEFUL INSPECTION

...

     ICMP messages fall into two categories: ICMP error messages, which always
     refer to a TCP or UDP packet, are matched against the referred to connec-
     tion.  If one keeps state on a TCP connection, and an ICMP source quench
     message referring to this TCP connection arrives, it will be matched to
     the right state and get passed.

...

Prev by Date: BSD-licensed Camellia 128-bit block cipher
Next by Date: Panic: biodone already
Previous by thread: Re: pf and pmtu discovery
Next by thread: PF/CARP load balancing
Index(es):
- Date
- Thread

Visit your host, monkey.org