=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/74.html,v retrieving revision 1.104 retrieving revision 1.105 diff -u -r1.104 -r1.105 --- www/74.html 2023/10/15 15:32:37 1.104 +++ www/74.html 2023/10/15 15:49:48 1.105 @@ -751,24 +751,25 @@ In particular, snmpd(8) and systat(1) now do that. -
pass all
rule so all
+ pass all
rule so all
forms of neighbor advertisements are allowed in either direction.
- divert-packet
rules, the packets may have no checksum
+ nat-to
could fail to insert a state
+ keep state
and nat-to
+ actions for unsolicited ICMP error responses.
+ Tighten the rule matching logic so ICMP error responses
+ no longer match keep state
rule.
+ In typical scenarios, ICMP errors (if solicited) should match
+ existing state. The change is going to bite firewalls which deal
+ with asymmetric routes. In those cases the keep state
+ action should be relaxed to sloppy or new no state
+ rule to explicitly match ICMP errors should be added.