From owner-freebsd-pf@FreeBSD.ORG  Fri Feb  7 14:24:13 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 283E792A
 for <freebsd-pf@freebsd.org>; Fri,  7 Feb 2014 14:24:13 +0000 (UTC)
Received: from mail.egr.msu.edu (hill.egr.msu.edu [35.9.37.162])
 by mx1.freebsd.org (Postfix) with ESMTP id EFE321254
 for <freebsd-pf@freebsd.org>; Fri,  7 Feb 2014 14:24:12 +0000 (UTC)
Received: from hill (localhost [127.0.0.1])
 by mail.egr.msu.edu (Postfix) with ESMTP id 52B1D11E62
 for <freebsd-pf@freebsd.org>; Fri,  7 Feb 2014 09:14:15 -0500 (EST)
X-Virus-Scanned: amavisd-new at egr.msu.edu
Received: from mail.egr.msu.edu ([127.0.0.1])
 by hill (hill.egr.msu.edu [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id QfVth67dGo4e for <freebsd-pf@freebsd.org>;
 Fri,  7 Feb 2014 09:14:15 -0500 (EST)
Received: from EGR authenticated sender
Message-ID: <52F4EA37.9050805@egr.msu.edu>
Date: Fri, 07 Feb 2014 09:14:15 -0500
From: Adam McDougall <mcdouga9@egr.msu.edu>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Subject: Re: pf + NAT + ICMP issues?
References: <ec460ffcc512ebdaaadaf5d47cc2d711@pyret.net>
In-Reply-To: <ec460ffcc512ebdaaadaf5d47cc2d711@pyret.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2014 14:24:13 -0000

On 02/07/2014 08:16, Daniel Engberg wrote:
> Hi,
> 
> I've been tearing my hair on this one, this ruleset worked fine on 9.1
> and 9-STABLE around the same time but doesn't on HEAD (most recent box I
> have is running r261486 (AMD64). I might be missing something obvious so
> I guess I need a another pair of eyes. Anyhow, the issue is pretty
> simple, for some reason on clients behind ping and tracert doesn't work
> as they did before.
> 
> Using ping (Windows 7) the first packet always gets a timeout and
> tracert doesn't work except at the end hop.
> 
(snip)
> 
> # Allow ICMP
> pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types

Can you try duplicating or replacing this rule with "pass out"?
I use both pass in and out, I suppose I could just use "pass" with one
rule.  FYI, I only have icmp_types = "{ echoreq unreach }".

> 
> # Allow FTPs to connect to our FTP-proxy
> pass in quick on $ext_if inet proto tcp to ($ext_if) port ftp-data user
> proxy
>