diff options
| author | Matthew Dillon <dillon@FreeBSD.org> | 2002-06-25 04:13:46 +0000 |
|---|---|---|
| committer | Matthew Dillon <dillon@FreeBSD.org> | 2002-06-25 04:13:46 +0000 |
| commit | 455c737411f650fd64dca7e0c56dd6a7f6303e0e (patch) | |
| tree | 08d9e340d1cf8652f4e6eacd99571df72785f319 /share/man/man7/firewall.7 | |
| parent | 022f3e9092e98b34c59cbcc87e8b46f5455f2f88 (diff) | |
| download | src-455c737411f650fd64dca7e0c56dd6a7f6303e0e.tar.gz src-455c737411f650fd64dca7e0c56dd6a7f6303e0e.zip | |
Notes
Diffstat (limited to 'share/man/man7/firewall.7')
| -rw-r--r-- | share/man/man7/firewall.7 | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/share/man/man7/firewall.7 b/share/man/man7/firewall.7 index 602c6170bad1..874b1c95e9e9 100644 --- a/share/man/man7/firewall.7 +++ b/share/man/man7/firewall.7 @@ -304,10 +304,13 @@ add 03000 allow tcp from any to any http,https add 03000 allow tcp from any to any 4000-65535,ssh,smtp,domain,ntalk add 03000 allow tcp from any to any auth,pop3,ftp,ftp-data -# It is important to allow certain ICMP types through: +# It is important to allow certain ICMP types through, here is a list +# of general ICMP types. Note that it is important to let ICMP type 3 +# through. # # 0 Echo Reply -# 3 Destination Unreachable +# 3 Destination Unreachable (used by TCP MTU discovery, aka +# packet-too-big) # 4 Source Quench (typically not allowed) # 5 Redirect (typically not allowed - can be dangerous!) # 8 Echo @@ -320,7 +323,7 @@ add 03000 allow tcp from any to any auth,pop3,ftp,ftp-data # type 5, but if you allow it make sure that your Internet router # disallows it. -add 04000 allow icmp from any to any icmptypes 0,5,8,11,12,13,14 +add 04000 allow icmp from any to any icmptypes 0,3,8,11,12,13,14 # log any remaining fragments that get through. Might be useful, # otherwise don't bother. Have a final deny rule as a safety to |