Re: Keep carp interfaces in sync, WAS: problems with carp and vlans

["Lars Weste" <lweste_(_at_)_gmx_(_dot_)_de>]

Hi,

>> with scrub in all set at the firewall, will openbsd handle icmp 
packets 
>> of type unreach code needfrag automatically, because of the 
statefulness?
>> as far as i know, icmp packtes like port/host/network unreachable are 
>> allowed by the keep state statements, does this also apply for the 
need 
>> fragment codes of icmp unreachable messages?
>> 
>> or shall I have to add a rule to allow these packets explicitly?
>
> citating pf.conf(5):
> 
> ...
> 
> STATEFUL INSPECTION
> 
> ...
>
>      ICMP messages fall into two categories: ICMP error messages, which 
always
>      refer to a TCP or UDP packet, are matched against the referred to 
connec-
>      tion.  If one keeps state on a TCP connection, and an ICMP source 
quench
>      message referring to this TCP connection arrives, it will be 
matched to
>      the right state and get passed.
>
> ...

Thanks, I must have overlooked it, i thought only these unreachable 
messages will be part of a state.

but on the other side I found this:
http://kerneltrap.org/node/579
regarding Linux NFS and openbsd pf and scrub. After reading that, I 
assume that I will not need to add an explicit rule for the needfrag ICMP 
packets, only if I will run into some trouble, I might exclude a bit 
traffic from scrubbing.

thanks
lars

-- 
Echte DSL-Flatrate dauerhaft f|r 0,- Euro*!
"Feel free" mit GMX DSL! http://www.gmx.net/de/go/dsl