Date: Wed, 3 Nov 2004 19:10:16 GMT From: Ted Cabeen <ted@impulse.net> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line Message-ID: <200411031910.iA3JAGv9039250@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/73399; it has been noted by GNATS. From: Ted Cabeen <ted@impulse.net> To: Giorgos Keramidas <keramida@freebsd.org> Cc: bug-followup@freebsd.org Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line Date: Wed, 03 Nov 2004 11:09:17 -0800 Giorgos Keramidas <keramida@freebsd.org> writes: > On 2004-11-02 10:27, Ted Cabeen <ted@impulse.net> wrote: >> Giorgos Keramidas <keramida@freebsd.org> writes: >> > On 2004-11-01 16:35, Ted Cabeen <ted@impulse.net> wrote: >> >> With the following line in /etc/ipf.rules the firewall blocks outbound >> >> echo replies: >> >> pass out quick on fxp0 proto icmp all keep state >> > >> > Can I see the full ruleset? This seems to be a problem with the ruleset >> > you are using. >> > !grep icmp rules >> pass out quick on fxp0 proto icmp all keep state >> pass in quick on fxp0 proto icmp from any to black icmp-type 0 >> pass in quick on fxp0 proto icmp from any to black icmp-type 8 >> pass in quick on fxp0 proto icmp from any to black icmp-type 11 >> block return-icmp(port-unr) in log quick on fxp0 proto udp all > > Your ruleset uses `keep state' for outgoing icmps but not for the icmp-types > 0, 8 and 11. I'm not sure how ipfilter keeps states internally, but can you > try one of the following? > > a. Add 'keep state' to the input rules too, or > > b. Replace all your icmp rules with a pair like this: > > pass in icmp all > pass out icmp all > > If (a) doesn't work but (b) works, we'll have to look at this in more > detail. If they both work, it's probably a lot faster to keep (b) and > use the net.inet.icmp.icmplim sysctl to limit the rate of icmp packets ;-) (a) works, so I'll probably just go with that. Thanks for the input. -- Ted Cabeen Sr. Systems/Network Administrator Impulse Internet Services
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411031910.iA3JAGv9039250>