Re: kern/38390

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,cube%cubidou.net@localhost
Subject: Re: kern/38390
From: Darren Reed <darrenr%netbsd.org@localhost>
Date: Mon, 2 Jun 2008 11:20:02 +0000 (UTC)

The following reply was made to PR kern/38390; it has been noted by GNATS.

From: Darren Reed <darrenr%netbsd.org@localhost>
To: cube%cubidou.net@localhost,  gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: Re: kern/38390
Date: Mon, 02 Jun 2008 04:18:36 -0700

 If the firewall generates an ICMP packet in response to a TCP packet 
 that is part of
 a "keep state" session, then it should be automatically letting it 
 through, without the need
 for any special "proto icmp .. keep state" rules.

 With regard to Wolfgang's comment, checking ICMP errors to match an existing
 state should happen before the "proto icmp" rule is checked...

 Is NAT also active here or not?

 Darren

Prev by Date: Re: bin/38816: Man page for boot(8) does not document -1 and -2
Next by Date: Re: kern/38388
Previous by Thread: Re: kern/38820 (Falling into ddb in the process of sysinst .)
Next by Thread: Re: kern/38388
Indexes:

Home | Main Index | Thread Index | Old Index