From owner-freebsd-bugs@FreeBSD.ORG Tue Nov 2 17:30:36 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D89F416A4CE for ; Tue, 2 Nov 2004 17:30:36 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5A2143D45 for ; Tue, 2 Nov 2004 17:30:36 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id iA2HUaVE036702 for ; Tue, 2 Nov 2004 17:30:36 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id iA2HUaS6036701; Tue, 2 Nov 2004 17:30:36 GMT (envelope-from gnats) Date: Tue, 2 Nov 2004 17:30:36 GMT Message-Id: <200411021730.iA2HUaS6036701@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Giorgos Keramidas Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Giorgos Keramidas List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2004 17:30:37 -0000 The following reply was made to PR kern/73399; it has been noted by GNATS. From: Giorgos Keramidas To: Ted Cabeen Cc: bug-followup@freebsd.org Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line Date: Tue, 2 Nov 2004 19:19:33 +0200 On 2004-11-01 16:35, Ted Cabeen wrote: > With the following line in /etc/ipf.rules the firewall blocks outbound > echo replies: > pass out quick on fxp0 proto icmp all keep state Can I see the full ruleset? This seems to be a problem with the ruleset you are using. I just flushed all my ipfilter rules and loaded a simple set like this: : # ipfstat -hnio : 0 @1 pass out quick on sis0 proto icmp from any to any keep state : 3 @2 pass out quick proto udp from any to any port = 53 keep state : empty list for ipfilter(in) The first rule allows DNS lookups. The second is the rule you have mentioned; I've only changed fxp0 to sis0, my interface name. Outgoing icmp echo requests are passed as expected, and their incoming icmp echo replies are also allowed: : # ping www.otenet.gr : PING www.otenet.gr (62.103.128.200): 56 data bytes : 64 bytes from 62.103.128.200: icmp_seq=0 ttl=120 time=636.550 ms : ^C : --- www.otenet.gr ping statistics --- : 2 packets transmitted, 1 packets received, 50% packet loss : round-trip min/avg/max/stddev = 636.550/636.550/636.550/0.000 ms Incoming echo requests do not receive a reply, because there is no matching state to allow them in and there is no explicit allow rule for incoming echo requests. Hence, echo replies are never sent from my workstation, unless I also add: : pass in quick on sis0 proto icmp from any to any keep state This is not a bug though.