Date: Tue, 2 Nov 2004 17:30:36 GMT From: Giorgos Keramidas <keramida@freebsd.org> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line Message-ID: <200411021730.iA2HUaS6036701@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/73399; it has been noted by GNATS. From: Giorgos Keramidas <keramida@freebsd.org> To: Ted Cabeen <ted@impulse.net> Cc: bug-followup@freebsd.org Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line Date: Tue, 2 Nov 2004 19:19:33 +0200 On 2004-11-01 16:35, Ted Cabeen <ted@impulse.net> wrote: > With the following line in /etc/ipf.rules the firewall blocks outbound > echo replies: > pass out quick on fxp0 proto icmp all keep state Can I see the full ruleset? This seems to be a problem with the ruleset you are using. I just flushed all my ipfilter rules and loaded a simple set like this: : # ipfstat -hnio : 0 @1 pass out quick on sis0 proto icmp from any to any keep state : 3 @2 pass out quick proto udp from any to any port = 53 keep state : empty list for ipfilter(in) The first rule allows DNS lookups. The second is the rule you have mentioned; I've only changed fxp0 to sis0, my interface name. Outgoing icmp echo requests are passed as expected, and their incoming icmp echo replies are also allowed: : # ping www.otenet.gr : PING www.otenet.gr (62.103.128.200): 56 data bytes : 64 bytes from 62.103.128.200: icmp_seq=0 ttl=120 time=636.550 ms : ^C : --- www.otenet.gr ping statistics --- : 2 packets transmitted, 1 packets received, 50% packet loss : round-trip min/avg/max/stddev = 636.550/636.550/636.550/0.000 ms Incoming echo requests do not receive a reply, because there is no matching state to allow them in and there is no explicit allow rule for incoming echo requests. Hence, echo replies are never sent from my workstation, unless I also add: : pass in quick on sis0 proto icmp from any to any keep state This is not a bug though.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411021730.iA2HUaS6036701>