From owner-freebsd-pf@FreeBSD.ORG Mon Oct 15 15:52:26 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0F7E27E2 for ; Mon, 15 Oct 2012 15:52:26 +0000 (UTC) (envelope-from cochard@gmail.com) Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) by mx1.freebsd.org (Postfix) with ESMTP id 835978FC12 for ; Mon, 15 Oct 2012 15:52:24 +0000 (UTC) Received: by mail-lb0-f182.google.com with SMTP id b5so4415324lbd.13 for ; Mon, 15 Oct 2012 08:52:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=k9P/FBIyTWsSHFseVQVaCOs5ZQILtDN/9rwWDuOh2ig=; b=GQ7FRYx2n687i4bz5g32vRvCxDoUCYJHA0zcasi+5rkcqzg3xx7klP1VDmNB4tmeLZ e15rHDZpnYfX+e+ldyqC4RTBYuG4AeBD6kgefXD10fINqNKx1rHVv+y8MW1bWj4z8++h ifCgXCS2phCf4iZfIKIBqWGFBDiPebDbfwzjTMW70EY39HDEMZGS8L2VXAlzZocpoG/A em8NoEsk3SOe5AEtoZIjelZRvyNyQu6mjTnGxKaPhguax2bWZjX4QsdaC6UNULwHpftV OOmAbYOoYRy2stijQ4EqTeFc/DHpgXPFZ7ch7LD1aRrcUKFrwfsPYFJ0OPBuQCzGgC5Q jhPA== Received: by 10.112.104.4 with SMTP id ga4mr4436273lbb.86.1350316344156; Mon, 15 Oct 2012 08:52:24 -0700 (PDT) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.112.78.49 with HTTP; Mon, 15 Oct 2012 08:52:03 -0700 (PDT) In-Reply-To: <20121012214215.735615d3@davenulle.org> References: <20121012214215.735615d3@davenulle.org> From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Mon, 15 Oct 2012 17:52:03 +0200 X-Google-Sender-Auth: 33QmmwGn6qKel2RJim9PARe9iBM Message-ID: Subject: Re: [9.1] PF drop To: Patrick Lamaiziere Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Oct 2012 15:52:26 -0000 On Fri, Oct 12, 2012 at 9:42 PM, Patrick Lamaiziere wrote: > Hello, Hi Patrick, > > As far I can see, PF replies with an icmp unreachable if a packet is > droped in output, even if the block policy is "drop". Which is not the > intented behavior. > I've tested with a simple lab: PC_1 (10.0.12.1) <===> (em0) FW (em1)<===> PC_2 (10.0.23.3) and this 3 lines rule set: set block-policy drop block all pass proto tcp from em0:network to em1:network Then I've try to ssh from PC_2 to PC_1, and all traffic are drop (no ICMP generated): Tested on -current, 8.2-RELEASE-p6, and 9.1-RC2. Then I've tried with your rule set adapted to my lab: block log (all) pass in quick to 10.0.23.3 no state block drop out quick on em1 to 10.0.23.3 pass out quick pass in quick inet And I've try to ssh from PC_1 to PC_2, and all traffic are drop (no ICMP generated) too. One remark: I'm using pf as module (not compiled in kernel). Regards, Olivier