Date: Mon, 15 Oct 2012 17:52:03 +0200 From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me> To: Patrick Lamaiziere <patfbsd@davenulle.org> Cc: freebsd-pf@freebsd.org Subject: Re: [9.1] PF drop Message-ID: <CA%2Bq%2BTcpw-tVGFenyGZaNXfKSNdm3XBOumQ5=UgC5yBXbPgHHnA@mail.gmail.com> In-Reply-To: <20121012214215.735615d3@davenulle.org> References: <20121012214215.735615d3@davenulle.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 12, 2012 at 9:42 PM, Patrick Lamaiziere <patfbsd@davenulle.org> wrote: > Hello, Hi Patrick, > > As far I can see, PF replies with an icmp unreachable if a packet is > droped in output, even if the block policy is "drop". Which is not the > intented behavior. > I've tested with a simple lab: PC_1 (10.0.12.1) <===> (em0) FW (em1)<===> PC_2 (10.0.23.3) and this 3 lines rule set: set block-policy drop block all pass proto tcp from em0:network to em1:network Then I've try to ssh from PC_2 to PC_1, and all traffic are drop (no ICMP generated): Tested on -current, 8.2-RELEASE-p6, and 9.1-RC2. Then I've tried with your rule set adapted to my lab: block log (all) pass in quick to 10.0.23.3 no state block drop out quick on em1 to 10.0.23.3 pass out quick pass in quick inet And I've try to ssh from PC_1 to PC_2, and all traffic are drop (no ICMP generated) too. One remark: I'm using pf as module (not compiled in kernel). Regards, Olivier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcpw-tVGFenyGZaNXfKSNdm3XBOumQ5=UgC5yBXbPgHHnA>