Date: Fri, 12 Oct 2012 21:42:15 +0200 From: Patrick Lamaiziere <patfbsd@davenulle.org> To: freebsd-pf@freebsd.org Subject: [9.1] PF drop Message-ID: <20121012214215.735615d3@davenulle.org>
next in thread | raw e-mail | index | archive | help
Hello, As far I can see, PF replies with an icmp unreachable if a packet is droped in output, even if the block policy is "drop". Which is not the intented behavior. I've made few tests with this setup host1 (192.168.1.60)<->(vr0:192.168.1.254) PF (vr2:192.168.200.254) <-> host2 (192.168.200.2) If I block in incoming (ie on vr0) the trafic to 192.168.202 the packet is simply droped. Rules (the no state is here to ensure that states is not the probleme): block log (all) pass in quick to 192.168.200.2 no state block drop out quick on vr2 to 192.168.200.2 pass out quick pass in quick inet When I ping or ssh the filtered host: host1: $ ssh 192.168.200.2 ssh: connect to host 192.168.200.2 port 22: No route to host tcpdump on the firewall (vr0) 21:36:50.328825 IP 192.168.1.254 > 192.168.1.60: ICMP host 192.168.200.2 unreachable, length 68 The good news is that packets are filtered on output. I see a similar behavior on OpenBSD 5.1, but this is not systematic. Any idea? Thanks, regards.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121012214215.735615d3>