[j-nsp] broken ACL?

Wed Dec 31 01:46:52 EST 2003

On Tue, 30 Dec 2003, Wayne E. Bouchard wrote:
> So I'm wondering if anyone is aware of ACL problems in 5.6R2.4
> 
> I have a filter containing the following:
> 
> term accept-icmp {
>     from {
>         icmp-type [ unreachable timestamp-reply echo-reply info-reply mask-reply time-exceeded ];
>     }
>     then accept;
> }
[...]
> 
> Some packets get rejected, some get through? What the heck? Am I
> missing something terribly obvious?

You're missing a "proto icmp;" in the from statement.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings