diff options
author | dillon <dillon@FreeBSD.org> | 2002-06-25 04:13:46 +0000 |
---|---|---|
committer | dillon <dillon@FreeBSD.org> | 2002-06-25 04:13:46 +0000 |
commit | 8441f43b694a8f801c31e183120ba014261d3603 (patch) | |
tree | 08d9e340d1cf8652f4e6eacd99571df72785f319 /share/man/man7 | |
parent | 9544a17fc4a9530f19fbcc1a3705c017f4c7eb4c (diff) | |
download | FreeBSD-src-8441f43b694a8f801c31e183120ba014261d3603.zip FreeBSD-src-8441f43b694a8f801c31e183120ba014261d3603.tar.gz |
ICMP type 3 packets should be let through for TCP MTU discovery, fixup
the documentation and sample firewall.
PR: docs/39495
Diffstat (limited to 'share/man/man7')
-rw-r--r-- | share/man/man7/firewall.7 | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/share/man/man7/firewall.7 b/share/man/man7/firewall.7 index 602c617..874b1c9 100644 --- a/share/man/man7/firewall.7 +++ b/share/man/man7/firewall.7 @@ -304,10 +304,13 @@ add 03000 allow tcp from any to any http,https add 03000 allow tcp from any to any 4000-65535,ssh,smtp,domain,ntalk add 03000 allow tcp from any to any auth,pop3,ftp,ftp-data -# It is important to allow certain ICMP types through: +# It is important to allow certain ICMP types through, here is a list +# of general ICMP types. Note that it is important to let ICMP type 3 +# through. # # 0 Echo Reply -# 3 Destination Unreachable +# 3 Destination Unreachable (used by TCP MTU discovery, aka +# packet-too-big) # 4 Source Quench (typically not allowed) # 5 Redirect (typically not allowed - can be dangerous!) # 8 Echo @@ -320,7 +323,7 @@ add 03000 allow tcp from any to any auth,pop3,ftp,ftp-data # type 5, but if you allow it make sure that your Internet router # disallows it. -add 04000 allow icmp from any to any icmptypes 0,5,8,11,12,13,14 +add 04000 allow icmp from any to any icmptypes 0,3,8,11,12,13,14 # log any remaining fragments that get through. Might be useful, # otherwise don't bother. Have a final deny rule as a safety to |