kern/73399: ipf blocks echo replies with keep state on pass out icmp line

Ted Cabeen ted at impulse.net
Mon Nov 1 16:40:24 PST 2004 

>Number:         73399
>Category:       kern
>Synopsis:       ipf blocks echo replies with keep state on pass out icmp line
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 02 00:40:23 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Ted Cabeen
>Release:        FreeBSD 5.3-RC2 i386
>Organization:
Impulse Internet Services
>Environment:
System: FreeBSD black.impulse.net 5.3-RC2.
Kernel config:
#
# BLACK -- Configuration for the Impulse Backup Server
#

machine		i386
#cpu		I486_CPU
#cpu		I586_CPU
cpu		I686_CPU
ident		BLACK

# To statically compile in device wiring instead of /boot/device.hints
#hints		"GENERIC.hints"		# Default places to look for devices.

options 	SCHED_4BSD		# ULE scheduler is broken
options 	INET			# InterNETworking
options 	INET6			# IPv6 communications protocols
options 	FFS			# Berkeley Fast Filesystem
options 	SOFTUPDATES		# Enable FFS soft updates support
options 	UFS_ACL			# Support for access control lists
options 	UFS_DIRHASH		# Improve performance on big directories
options 	MD_ROOT			# MD is a potential root device
options 	NFSCLIENT		# Network Filesystem Client
options 	MSDOSFS			# MSDOS Filesystem
options 	CD9660			# ISO 9660 Filesystem
options 	PROCFS			# Process filesystem (requires PSEUDOFS)
options 	PSEUDOFS		# Pseudo-filesystem framework
options 	GEOM_GPT		# GUID Partition Tables.
options 	COMPAT_43		# Compatible with BSD 4.3 [KEEP THIS!]
options 	COMPAT_FREEBSD4		# Compatible with FreeBSD4
options 	SCSI_DELAY=15000	# Delay (in ms) before probing SCSI
options 	KTRACE			# ktrace(1) support
options 	SYSVSHM			# SYSV-style shared memory
options 	SYSVMSG			# SYSV-style message queues
options 	SYSVSEM			# SYSV-style semaphores
options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
options 	AHC_REG_PRETTY_PRINT	# Print register bitfields in debug
					# output.  Adds ~128k to driver.
options 	AHD_REG_PRETTY_PRINT	# Print register bitfields in debug
					# output.  Adds ~215k to driver.
options 	ADAPTIVE_GIANT		# Giant mutex is adaptive.

# Bus support.  Do not remove isa, even if you have no isa slots
device		isa
#device		eisa
device		pci

# Floppy drives
device		fdc

# ATA and ATAPI devices
device		ata
device		atadisk		# ATA disk drives
device		ataraid		# ATA RAID drives
device		atapicd		# ATAPI CDROM drives
device		atapifd		# ATAPI floppy drives
device		atapist		# ATAPI tape drives
options 	ATA_STATIC_ID	# Static device numbering

# atkbdc0 controls both the keyboard and the PS/2 mouse
device		atkbdc		# AT keyboard controller
device		atkbd		# AT keyboard
device		psm		# PS/2 mouse

device		vga		# VGA video card driver

#device		splash		# Splash screen and screen saver support

# syscons is the default console driver, resembling an SCO console
device		sc

# Enable this for the pcvt (VT220 compatible) console driver
#device		vt
#options 	XSERVER		# support for X server on a vt console
#options 	FAT_CURSOR	# start with block cursor

device		agp		# support several AGP chipsets

# Floating point support - do not disable.
device		npx

# Power management support (see NOTES for more options)
device		apm
# Add suspend/resume support for the i8254.
device		pmtimer

# Serial (COM) ports
device		sio		# 8250, 16[45]50 based serial ports

# If you've got a "dumb" serial or parallel PCI card that is
# supported by the puc(4) glue driver, uncomment the following
# line to enable it (connects to the sio and/or ppc drivers):
#device         puc

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device		miibus		# MII bus support
device		fxp		# Intel EtherExpress PRO/100B (82557, 82558)

# Pseudo devices.
device		loop		# Network loopback
device		mem		# Memory and kernel memory devices
device		io		# I/O device
device		random		# Entropy device
device		ether		# Ethernet support
#device		sl		# Kernel SLIP
#device		ppp		# Kernel PPP
device		tun		# Packet tunnel.
device		pty		# Pseudo-ttys (telnet etc)
device		md		# Memory "disks"
device		gif		# IPv6 and IPv4 tunneling
device		faith		# IPv6-to-IPv4 relaying (translation)

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
device		bpf		# Berkeley packet filter

>Description:
  With the following line in /etc/ipf.rules the firewall blocks outbound 
echo replies:
pass out quick on fxp0 proto icmp all keep state

In FreeBSD 4.x, this line works fine, and echo replies are not blocked.

>How-To-Repeat:

Add "pass out quick on fxp0 proto icmp all keep state" to /etc/ipf.rules
near the top of the file to allow outbound packets.

>Fix:

Change the offending line to the following:
pass out quick on fxp0 proto icmp all

However, this doesn't provide the same functionality as the non-functional 
line.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list