From owner-freebsd-pf@FreeBSD.ORG Fri Mar 11 12:11:15 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC24616A4CE for ; Fri, 11 Mar 2005 12:11:15 +0000 (GMT) Received: from mail.gmx.net (pop.gmx.de [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 5222C43D48 for ; Fri, 11 Mar 2005 12:11:14 +0000 (GMT) (envelope-from emanuel.strobl@gmx.net) Received: (qmail invoked by alias); 11 Mar 2005 12:11:13 -0000 Received: from flb.schmalzbauer.de (EHLO cale.flintsbach.schmalzbauer.de) (62.245.232.135) by mail.gmx.net (mp029) with SMTP; 11 Mar 2005 13:11:13 +0100 X-Authenticated: #301138 From: Emanuel Strobl To: Max Laier Date: Fri, 11 Mar 2005 13:10:58 +0100 User-Agent: KMail/1.7.2 References: <20050212061756.GF4769@kt-is.co.kr> <200502211557.17818@harrymail> <200502211924.10327.max@love2party.net> In-Reply-To: <200502211924.10327.max@love2party.net> X-Birthday: 10/06/72 X-CelPhone: +49 173 9967781 X-Tel: +49 89 18947781 X-Country: Germany X-Address: Munich, 80686 X-OS: FreeBSD MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4478696.7dMTX5mPKO"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200503111311.03343@harrymail> X-Y-GMX-Trusted: 0 cc: pf@freebsd.org cc: stable@freebsd.org Subject: Return-icmp doesn't work [Was: Re: Recent panics caused by pf] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2005 12:11:15 -0000 --nextPart4478696.7dMTX5mPKO Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Am Montag, 21. Februar 2005 19:24 schrieb Max Laier: > On Monday 21 February 2005 15:57, Harald Schmalzbauer wrote: > > Am Sonntag, 20. Februar 2005 19:10 schrieb Max Laier: > > > /me slaps self ... [...] > > I tested your patch against RELENG_5 and the panic with "pfctl -Fall" > > seems to be solved. > > But I have another problem with renamed interfaces and pf: > > The following rule can't be loaded (error: routeto: unknown interface > > SDSL) "pass in on SDSL reply-to (SDSL $sdsl_gw) proto tcp from any to > > $mta port 25" [...] > > And there are more oddities with pf and FreeBSD: > > block return doesn't work. At least for TCP connections I don't get a > > reset back instead it times out. > > Also return-icmp (13) doesn't work. > > Hum?!? ... Are you sure about this? I am pretty confident that it works. > I'll have to test to make sure ... later that week/next week. Keep me > posted in case you find something. I'm on the firewall again and verified that block return works for tcp-rst,= =20 but not for return-icmp (with or without code), it seems packets just get=20 droped, regardless for which protocol (tested UDP, ICMP, TCP). Then I have another problem which may be a design problem. I am multihomed and have several pass reply-to rules. So far things are=20 working fine but block return doesn't! Of course, the return gets over the= =20 default route, so what I needed is a block return route-to or something lik= e=20 that. Do you know any detour how this could be achieved? Thanks, =2DHarry > > > Thanks, > > > > > > -Harry (P.S.: Emanuel and Harry are the same persons (me) the gmx addre= ss > > is just a fake identity for mailing lists) > > okay ... you see us perplexed ;) --nextPart4478696.7dMTX5mPKO Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCMYrXBylq0S4AzzwRAk2iAJ9KziRQ3Sozowy2fMYCpabq8cBr9gCcCWSK cgbuNryralw4Z3WvsAwLSDQ= =OIic -----END PGP SIGNATURE----- --nextPart4478696.7dMTX5mPKO--