[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Can't ping outside the firewall
the following is from steven's tcp/ip illustrated v.1
ICMP is often considered part of the IP layer. It communicates error
messages and other conditions that require attention. ICMP messages are
usually acted on by either the IP layer or the higher layer protocol (TCP
or UDP).
The ping program is the basic connectivity test between two systems
running TCP/IP. It uses the ICMP echo request and reply messages and does
not use a transport layer (TCP or UDP). The Ping server is normally part
of the kernel's ICMP implementation.
-rik
http://orchard.wccnet.org/~optik
On Sun, 14 Sep 2003, Matthew L. Shobe wrote:
> On Sun, Sep 14, 2003 at 01:22:37AM -0500, Peter H. Coffin wrote:
> > There's no connection, and no state to keep. Let them back in.
>
> pf.conf(5) says otherwise:
>
> ICMP error messages, which always refer to a TCP or UDP
> packet, are matched against the referred to connection.
>
> [...]
>
> For ICMP queries, keep state creates an ICMP state, and
> pf(4) knows how to match ICMP replies to states.
> --
> mls