From owner-freebsd-bugs@FreeBSD.ORG  Tue Nov  2 22:40:34 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E7D3316A5B6
	for <freebsd-bugs@hub.freebsd.org>;
	Tue,  2 Nov 2004 22:40:34 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D778643D2D
	for <freebsd-bugs@hub.freebsd.org>;
	Tue,  2 Nov 2004 22:40:34 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id iA2MeYLS072697
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 2 Nov 2004 22:40:34 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id iA2MeYe6072696;
	Tue, 2 Nov 2004 22:40:34 GMT
	(envelope-from gnats)
Date: Tue, 2 Nov 2004 22:40:34 GMT
Message-Id: <200411022240.iA2MeYe6072696@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Giorgos Keramidas <keramida@freebsd.org>
Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out
	icmp line
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Giorgos Keramidas <keramida@freebsd.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Nov 2004 22:40:35 -0000

The following reply was made to PR kern/73399; it has been noted by GNATS.

From: Giorgos Keramidas <keramida@freebsd.org>
To: Ted Cabeen <ted@impulse.net>
Cc: bug-followup@freebsd.org
Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line
Date: Wed, 3 Nov 2004 00:30:30 +0200

 On 2004-11-02 10:27, Ted Cabeen <ted@impulse.net> wrote:
 > Giorgos Keramidas <keramida@freebsd.org> writes:
 > > On 2004-11-01 16:35, Ted Cabeen <ted@impulse.net> wrote:
 > >> With the following line in /etc/ipf.rules the firewall blocks outbound
 > >> echo replies:
 > >> pass out quick on fxp0 proto icmp all keep state
 > >
 > > Can I see the full ruleset?  This seems to be a problem with the ruleset
 > > you are using.
 >
 !grep icmp rules
 > pass out quick on fxp0 proto icmp all keep state
 > pass in quick on fxp0 proto icmp from any to black icmp-type 0
 > pass in quick on fxp0 proto icmp from any to black icmp-type 8
 > pass in quick on fxp0 proto icmp from any to black icmp-type 11
 > block return-icmp(port-unr) in log quick on fxp0 proto udp all
 
 Your ruleset uses `keep state' for outgoing icmps but not for the icmp-types
 0, 8 and 11.  I'm not sure how ipfilter keeps states internally, but can you
 try one of the following?
 
 a. Add 'keep state' to the input rules too, or
 
 b. Replace all your icmp rules with a pair like this:
 
 	pass in icmp all
 	pass out icmp all
 
 If (a) doesn't work but (b) works, we'll have to look at this in more
 detail.  If they both work, it's probably a lot faster to keep (b) and
 use the net.inet.icmp.icmplim sysctl to limit the rate of icmp packets ;-)