Date: Tue, 16 Oct 2012 22:57:08 +0200 From: Patrick Lamaiziere <patfbsd@davenulle.org> To: freebsd-pf@freebsd.org Subject: Re: [9.1] PF drop Message-ID: <20121016225708.7b23e083@davenulle.org> In-Reply-To: <20121016091338.164a6de0@mr129166> References: <20121012214215.735615d3@davenulle.org> <CA%2Bq%2BTcpw-tVGFenyGZaNXfKSNdm3XBOumQ5=UgC5yBXbPgHHnA@mail.gmail.com> <20121016091338.164a6de0@mr129166>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Tue, 16 Oct 2012 09:13:38 +0200, Patrick Lamaiziere <patfbsd@davenulle.org> a écrit : Hello, > To be sure that states are not involved at all I've used a serial > console on the firewall (previous tests were made with ssh). > > So I don't understand why you don't reproduce this. I will make few > more tests. I've tested on my workstation at work running a fresh 9.1-STABLE and I still saw "imcp unreachable". So I don't understand... Config of the first example (Net5501) No special sysctl set. $ uname -a FreeBSD malpractice.lamaiziere.net 9.1-RC2 FreeBSD 9.1-RC2 #0 r241596: Mon Oct 15 21:23:23 CEST 2012 root@baby-jane.lamaiziere.net:/usr/obj/usr/src/sys/GENERIC i386 /etc/rc.conf: background_fsck="NO" hostname="malpractice.lamaiziere.net" keymap="fr.iso.acc" dumpdev="/dev/ad0s1b" dumpdir="/usr/crash" devfs_system_ruleset="lpt" clear_tmp_enable="YES" pf_enable="YES" pflog_enable="YES" ipv6_network_interfaces="" ifconfig_vr0="192.168.1.254 netmask 255.255.255.0" ifconfig_vr2="192.168.200.254 netmask 255.255.255.0" ifconfig_vr3="10.0.200.254 netmask 255.255.255.0" defaultrouter="192.168.1.1" gateway_enable="YES" sshd_enable="YES" sshd_flags="-u0" sendmail_enable="YES" sendmail_flags="-bd" sendmail_pidfile="/var/spool/postfix/pid/master.pid" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" ---------- Rules: pfctl -s rules No ALTQ support in kernel ALTQ related functions disabled block drop log (all) all pass in quick inet from any to 192.168.200.2 no state block drop out quick on vr2 inet from any to 192.168.200.2 pass out quick all flags S/SA keep state pass in quick inet all flags S/SA keep state When I ping from 192.168.1.60 to the dropped host (192.168.200.2) : root@malpractice:/root # tcpdump -i vr0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vr0, link-type EN10MB (Ethernet), capture size 65535 bytes 22:55:17.855511 IP 192.168.1.60 > 192.168.200.2: ICMP echo request, id 47511, seq 1072, length 64 22:55:17.855665 IP 192.168.1.254 > 192.168.1.60: ICMP host 192.168.200.2 unreachable, length 36 22:55:18.856492 IP 192.168.1.60 > 192.168.200.2: ICMP echo request, id 47511, seq 1073, length 64 22:55:18.856610 IP 192.168.1.254 > 192.168.1.60: ICMP host 192.168.200.2 unreachable, length 36 Regards.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121016225708.7b23e083>