From owner-freebsd-pf@FreeBSD.ORG  Fri Oct 12 19:42:46 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 6BEFA1B7
 for <freebsd-pf@freebsd.org>; Fri, 12 Oct 2012 19:42:46 +0000 (UTC)
 (envelope-from patfbsd@davenulle.org)
Received: from smtp.lamaiziere.net (net.lamaiziere.net [94.23.254.147])
 by mx1.freebsd.org (Postfix) with ESMTP id 3139D8FC0A
 for <freebsd-pf@freebsd.org>; Fri, 12 Oct 2012 19:42:45 +0000 (UTC)
Received: from baby-jane.lamaiziere.net (unknown [192.168.1.10])
 by smtp.lamaiziere.net (Postfix) with ESMTP id B1759AEDB
 for <freebsd-pf@freebsd.org>; Fri, 12 Oct 2012 21:42:37 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by baby-jane.lamaiziere.net (Postfix) with ESMTP id 5A3372CECCB
 for <freebsd-pf@freebsd.org>; Fri, 12 Oct 2012 21:42:16 +0200 (CEST)
Date: Fri, 12 Oct 2012 21:42:15 +0200
From: Patrick Lamaiziere <patfbsd@davenulle.org>
To: freebsd-pf@freebsd.org
Subject: [9.1] PF drop
Message-ID: <20121012214215.735615d3@davenulle.org>
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; i386-portbld-freebsd9)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2012 19:42:46 -0000

Hello,

As far I can see, PF replies with an icmp unreachable if a packet is
droped in output, even if the block policy is "drop". Which is not the
intented behavior.

I've made few tests with this setup 
host1 (192.168.1.60)<->(vr0:192.168.1.254) PF (vr2:192.168.200.254)
<-> host2 (192.168.200.2)

If I block in incoming (ie on vr0) the trafic to 192.168.202 the packet
is simply droped.

Rules (the no state is here to ensure that states is not
the probleme):

block log (all)
pass in quick to 192.168.200.2 no state
block drop out quick on vr2 to 192.168.200.2
pass out quick
pass in quick inet

When I ping or ssh the filtered host:

host1:
$ ssh 192.168.200.2
ssh: connect to host 192.168.200.2 port 22: No route to host

tcpdump on the firewall (vr0)
21:36:50.328825 IP 192.168.1.254 > 192.168.1.60: ICMP host
192.168.200.2 unreachable, length 68

The good news is that packets are filtered on output.
I see a similar behavior on OpenBSD 5.1, but this is not systematic.

Any idea?
Thanks, regards.