From owner-freebsd-pf@FreeBSD.ORG Tue Oct 16 20:57:37 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4CD4FE19 for ; Tue, 16 Oct 2012 20:57:37 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from smtp.lamaiziere.net (net.lamaiziere.net [94.23.254.147]) by mx1.freebsd.org (Postfix) with ESMTP id 0E7FB8FC17 for ; Tue, 16 Oct 2012 20:57:36 +0000 (UTC) Received: from baby-jane.lamaiziere.net (unknown [192.168.1.10]) by smtp.lamaiziere.net (Postfix) with ESMTP id A9C4EA701; Tue, 16 Oct 2012 22:57:35 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by baby-jane.lamaiziere.net (Postfix) with ESMTP id 19A712CF261; Tue, 16 Oct 2012 22:57:09 +0200 (CEST) Date: Tue, 16 Oct 2012 22:57:08 +0200 From: Patrick Lamaiziere To: freebsd-pf@freebsd.org Subject: Re: [9.1] PF drop Message-ID: <20121016225708.7b23e083@davenulle.org> In-Reply-To: <20121016091338.164a6de0@mr129166> References: <20121012214215.735615d3@davenulle.org> <20121016091338.164a6de0@mr129166> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; i386-portbld-freebsd9) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Oct 2012 20:57:37 -0000 Le Tue, 16 Oct 2012 09:13:38 +0200, Patrick Lamaiziere a écrit : Hello, > To be sure that states are not involved at all I've used a serial > console on the firewall (previous tests were made with ssh). > > So I don't understand why you don't reproduce this. I will make few > more tests. I've tested on my workstation at work running a fresh 9.1-STABLE and I still saw "imcp unreachable". So I don't understand... Config of the first example (Net5501) No special sysctl set. $ uname -a FreeBSD malpractice.lamaiziere.net 9.1-RC2 FreeBSD 9.1-RC2 #0 r241596: Mon Oct 15 21:23:23 CEST 2012 root@baby-jane.lamaiziere.net:/usr/obj/usr/src/sys/GENERIC i386 /etc/rc.conf: background_fsck="NO" hostname="malpractice.lamaiziere.net" keymap="fr.iso.acc" dumpdev="/dev/ad0s1b" dumpdir="/usr/crash" devfs_system_ruleset="lpt" clear_tmp_enable="YES" pf_enable="YES" pflog_enable="YES" ipv6_network_interfaces="" ifconfig_vr0="192.168.1.254 netmask 255.255.255.0" ifconfig_vr2="192.168.200.254 netmask 255.255.255.0" ifconfig_vr3="10.0.200.254 netmask 255.255.255.0" defaultrouter="192.168.1.1" gateway_enable="YES" sshd_enable="YES" sshd_flags="-u0" sendmail_enable="YES" sendmail_flags="-bd" sendmail_pidfile="/var/spool/postfix/pid/master.pid" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" ---------- Rules: pfctl -s rules No ALTQ support in kernel ALTQ related functions disabled block drop log (all) all pass in quick inet from any to 192.168.200.2 no state block drop out quick on vr2 inet from any to 192.168.200.2 pass out quick all flags S/SA keep state pass in quick inet all flags S/SA keep state When I ping from 192.168.1.60 to the dropped host (192.168.200.2) : root@malpractice:/root # tcpdump -i vr0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vr0, link-type EN10MB (Ethernet), capture size 65535 bytes 22:55:17.855511 IP 192.168.1.60 > 192.168.200.2: ICMP echo request, id 47511, seq 1072, length 64 22:55:17.855665 IP 192.168.1.254 > 192.168.1.60: ICMP host 192.168.200.2 unreachable, length 36 22:55:18.856492 IP 192.168.1.60 > 192.168.200.2: ICMP echo request, id 47511, seq 1073, length 64 22:55:18.856610 IP 192.168.1.254 > 192.168.1.60: ICMP host 192.168.200.2 unreachable, length 36 Regards.