From owner-freebsd-bugs@FreeBSD.ORG Wed Nov 3 19:10:16 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EA9716A4D3 for ; Wed, 3 Nov 2004 19:10:16 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A5E243D6B for ; Wed, 3 Nov 2004 19:10:16 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id iA3JAGBc039251 for ; Wed, 3 Nov 2004 19:10:16 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id iA3JAGv9039250; Wed, 3 Nov 2004 19:10:16 GMT (envelope-from gnats) Date: Wed, 3 Nov 2004 19:10:16 GMT Message-Id: <200411031910.iA3JAGv9039250@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Ted Cabeen Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Ted Cabeen List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2004 19:10:16 -0000 The following reply was made to PR kern/73399; it has been noted by GNATS. From: Ted Cabeen To: Giorgos Keramidas Cc: bug-followup@freebsd.org Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line Date: Wed, 03 Nov 2004 11:09:17 -0800 Giorgos Keramidas writes: > On 2004-11-02 10:27, Ted Cabeen wrote: >> Giorgos Keramidas writes: >> > On 2004-11-01 16:35, Ted Cabeen wrote: >> >> With the following line in /etc/ipf.rules the firewall blocks outbound >> >> echo replies: >> >> pass out quick on fxp0 proto icmp all keep state >> > >> > Can I see the full ruleset? This seems to be a problem with the ruleset >> > you are using. >> > !grep icmp rules >> pass out quick on fxp0 proto icmp all keep state >> pass in quick on fxp0 proto icmp from any to black icmp-type 0 >> pass in quick on fxp0 proto icmp from any to black icmp-type 8 >> pass in quick on fxp0 proto icmp from any to black icmp-type 11 >> block return-icmp(port-unr) in log quick on fxp0 proto udp all > > Your ruleset uses `keep state' for outgoing icmps but not for the icmp-types > 0, 8 and 11. I'm not sure how ipfilter keeps states internally, but can you > try one of the following? > > a. Add 'keep state' to the input rules too, or > > b. Replace all your icmp rules with a pair like this: > > pass in icmp all > pass out icmp all > > If (a) doesn't work but (b) works, we'll have to look at this in more > detail. If they both work, it's probably a lot faster to keep (b) and > use the net.inet.icmp.icmplim sysctl to limit the rate of icmp packets ;-) (a) works, so I'll probably just go with that. Thanks for the input. -- Ted Cabeen Sr. Systems/Network Administrator Impulse Internet Services