Date: Tue, 2 Nov 2004 22:40:34 GMT From: Giorgos Keramidas <keramida@freebsd.org> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line Message-ID: <200411022240.iA2MeYe6072696@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/73399; it has been noted by GNATS. From: Giorgos Keramidas <keramida@freebsd.org> To: Ted Cabeen <ted@impulse.net> Cc: bug-followup@freebsd.org Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line Date: Wed, 3 Nov 2004 00:30:30 +0200 On 2004-11-02 10:27, Ted Cabeen <ted@impulse.net> wrote: > Giorgos Keramidas <keramida@freebsd.org> writes: > > On 2004-11-01 16:35, Ted Cabeen <ted@impulse.net> wrote: > >> With the following line in /etc/ipf.rules the firewall blocks outbound > >> echo replies: > >> pass out quick on fxp0 proto icmp all keep state > > > > Can I see the full ruleset? This seems to be a problem with the ruleset > > you are using. > !grep icmp rules > pass out quick on fxp0 proto icmp all keep state > pass in quick on fxp0 proto icmp from any to black icmp-type 0 > pass in quick on fxp0 proto icmp from any to black icmp-type 8 > pass in quick on fxp0 proto icmp from any to black icmp-type 11 > block return-icmp(port-unr) in log quick on fxp0 proto udp all Your ruleset uses `keep state' for outgoing icmps but not for the icmp-types 0, 8 and 11. I'm not sure how ipfilter keeps states internally, but can you try one of the following? a. Add 'keep state' to the input rules too, or b. Replace all your icmp rules with a pair like this: pass in icmp all pass out icmp all If (a) doesn't work but (b) works, we'll have to look at this in more detail. If they both work, it's probably a lot faster to keep (b) and use the net.inet.icmp.icmplim sysctl to limit the rate of icmp packets ;-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411022240.iA2MeYe6072696>