From owner-freebsd-pf@FreeBSD.ORG Fri Nov 29 15:23:30 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 59309A30 for ; Fri, 29 Nov 2013 15:23:30 +0000 (UTC) Received: from mail-pb0-x232.google.com (mail-pb0-x232.google.com [IPv6:2607:f8b0:400e:c01::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2CD231CC1 for ; Fri, 29 Nov 2013 15:23:30 +0000 (UTC) Received: by mail-pb0-f50.google.com with SMTP id rr13so14533043pbb.23 for ; Fri, 29 Nov 2013 07:23:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=ZMePWYcQ9okCvWaGvWYDg5fE3idC7tHxgijwzn6UpGw=; b=ttxxdh+VSlDPrtEqqOinqGFAFS2CVwnU/Fy9SUbPGh8oIMUl9ytyxvNY5otLgR0/bZ WqhdXPrlocVRt/jtrlr9mykU1WQmlLGu5KKztfPDN1o9gkIDWsMNQGV72vLrF8oA3QNo O7tA9LKcy+c/EMd5oSGNsMr8UdXiSpYxrfn3l4Y/mqTycysBueZ94KWYyyCYpGl41Wfr AN66UgrLiEKP4rOthk4aui76oeogq8HbqTFhLLgjInSuYsJ+ZHGI781/wgVhcoS7MXUx YBp1Sq5R/pzsc0EObBiGt3emTp+cyAG0nO0R1TaWEqtBmPEEMAb4y9YYTCbqAt7h7BuS Adpg== MIME-Version: 1.0 X-Received: by 10.66.216.129 with SMTP id oq1mr53969690pac.75.1385738609709; Fri, 29 Nov 2013 07:23:29 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.70.4.163 with HTTP; Fri, 29 Nov 2013 07:23:29 -0800 (PST) In-Reply-To: References: Date: Fri, 29 Nov 2013 16:23:29 +0100 X-Google-Sender-Auth: SpZo1KtBomZ3lKJuZZ_YXxFcSsY Message-ID: Subject: Re: icmp-type echoreq not matching resulting ttl exceeded From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Ian FREISLICH Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.16 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Nov 2013 15:23:30 -0000 On Fri, Nov 29, 2013 at 2:53 PM, Ian FREISLICH wrote: > =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote: > > On Fri, Nov 29, 2013 at 1:28 PM, Ian FREISLICH wrote: > > > At some point this stopped working. I was able to use traceroute -I > > > This rule let the echo request out and the resulting TTL exceeded > > > was matched and allowed back in. > > > > Which freeBSD version you are testing this? > > Normally it should just work unless the reply src ip is different from > your > > sent dstip. > > I'm using 11.0-CURRENT #41 r258736 and if bound state. This doesn't > work from the host or from a host on any interface that has the > rule: > You tried if relaxing the if-bound rule it succeeds. Other than that the code is similar there on all pf versions for matching icmp state based on these specific returns. > > pass out inet proto icmp from to any icmp-type echoreq > > All interfaces have 'pass in all' > > So for instance a host on vlan21 cannot traceroute to a host off vlan23: > > [rv1.jnb1] ~ $ traceroute -w1 -I router.lsn102 > traceroute to router.lsn102.gp-online.net (41.154.14.81), 64 hops max, 72 > byte packets > 1 firewall1.vlan21.jnb1.gp-online.net (41.154.0.58) 0.195 ms 0.152 ms > 0.169 ms > 2 * * * > 3 * * * > 4 * * * > 5 * * * > 6 * * * > 7 bridge1.router.lsn102.gp-online.net (41.154.14.81) 4.080 ms 5.859 > ms 6.832 ms > > However, the traffic is not being denied, or at least it's not being > logged and all my block rules log. > > When the source interface does not have the rule > pass out inet proto icmp from to any icmp-type echoreq > then the traceroute is successful. > > Ian > > -- > Ian Freislich > -- Ermal