Date: Fri, 29 Nov 2013 16:23:29 +0100 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> To: Ian FREISLICH <ianf@clue.co.za> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: icmp-type echoreq not matching resulting ttl exceeded Message-ID: <CAPBZQG0whkKNyAn535sYJLzi5YbANZiXyCn4VcypwC93MMt1qg@mail.gmail.com> In-Reply-To: <E1VmOVP-00076A-O7@clue.co.za> References: <E1VmNBM-00019a-4U@clue.co.za> <CAPBZQG0HeF%2BiyS90HW=Mbjq3db59Nnd0s9rWv=3S7L6d3o49Zg@mail.gmail.com> <E1VmOVP-00076A-O7@clue.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 29, 2013 at 2:53 PM, Ian FREISLICH <ianf@clue.co.za> wrote: > =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote: > > On Fri, Nov 29, 2013 at 1:28 PM, Ian FREISLICH <ianf@clue.co.za> wrote: > > > At some point this stopped working. I was able to use traceroute -I > > > This rule let the echo request out and the resulting TTL exceeded > > > was matched and allowed back in. > > > > Which freeBSD version you are testing this? > > Normally it should just work unless the reply src ip is different from > your > > sent dstip. > > I'm using 11.0-CURRENT #41 r258736 and if bound state. This doesn't > work from the host or from a host on any interface that has the > rule: > You tried if relaxing the if-bound rule it succeeds. Other than that the code is similar there on all pf versions for matching icmp state based on these specific returns. > > pass out inet proto icmp from <ournets> to any icmp-type echoreq > > All interfaces have 'pass in all' > > So for instance a host on vlan21 cannot traceroute to a host off vlan23: > > [rv1.jnb1] ~ $ traceroute -w1 -I router.lsn102 > traceroute to router.lsn102.gp-online.net (41.154.14.81), 64 hops max, 72 > byte packets > 1 firewall1.vlan21.jnb1.gp-online.net (41.154.0.58) 0.195 ms 0.152 ms > 0.169 ms > 2 * * * > 3 * * * > 4 * * * > 5 * * * > 6 * * * > 7 bridge1.router.lsn102.gp-online.net (41.154.14.81) 4.080 ms 5.859 > ms 6.832 ms > > However, the traffic is not being denied, or at least it's not being > logged and all my block rules log. > > When the source interface does not have the rule > pass out inet proto icmp from <ournets> to any icmp-type echoreq > then the traceroute is successful. > > Ian > > -- > Ian Freislich > -- Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG0whkKNyAn535sYJLzi5YbANZiXyCn4VcypwC93MMt1qg>