• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

"Time Exceeded" & "Parameter Problem" Not in 2.4.4 Default Allow?

Scheduled Pinned Locked Moved Firewalling
1 Posts 1 Posters 133 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    beremonavabi
    last edited by beremonavabi Dec 3, 2018, 1:15 AM Dec 3, 2018, 12:32 AM

    According to:

    https://tools.ietf.org/html/rfc4890#section-4.3.1

    4.3.1. Traffic That Must Not Be Dropped

    Error messages that are essential to the establishment and

    maintenance of communications:

    o Destination Unreachable (Type 1) - All codes

    o Packet Too Big (Type 2)

    o Time Exceeded (Type 3) - Code 0 only

    o Parameter Problem (Type 4) - Codes 1 and 2 only

    Yet, according to:

    https://github.com/pfsense/pfsense/blob/75cf92ffe93c7ea71cd5b432c369860b6e66a0d3/src/etc/inc/filter.inc#L3297

    the Time Exceeded (Type 3) and Parameter Problem (Type 4) - Codes 1 and 2 are not being allowed by pfSense 2.4.4 in the default allow rule. Should they be?

    EDIT: I guess while I'm here I'll also ask about the missing parts of Neighbor Discovery. According to that same document, Neighbor Discovery consists of 7 message types:

    " o Router Solicitation (Type 133)
    o Router Advertisement (Type 134)
    o Neighbor Solicitation (Type 135)
    o Neighbor Advertisement (Type 136)
    o Redirect (Type 137)
    o Inverse Neighbor Discovery Solicitation (Type 141)
    o Inverse Neighbor Discovery Advertisement (Type 142)"

    Most of the few things I've read on this don't mention the Inverse ones. For instance, this one doesn't talk about them:

    https://tools.ietf.org/html/rfc3971

    But, since pfSense's default ICMPv6 rules specifically allow router and neighbor solicitation and advertisement, why not the others (i.e., specifically, Redirect - but also the two Inverse ones)?

    SG-4860, pfSense 2.4.5-RELEASE-p1 (amd64)

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received