kern/73399: ipf blocks echo replies with keep state on pass out icmp line

[Giorgos Keramidas]

The following reply was made to PR kern/73399; it has been noted by GNATS.

From: Giorgos Keramidas <keramida at freebsd.org>
To: Ted Cabeen <ted at impulse.net>
Cc: bug-followup at freebsd.org
Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line
Date: Tue, 2 Nov 2004 19:19:33 +0200

 On 2004-11-01 16:35, Ted Cabeen <ted at impulse.net> wrote:
 > With the following line in /etc/ipf.rules the firewall blocks outbound
 > echo replies:
 > pass out quick on fxp0 proto icmp all keep state
 
 Can I see the full ruleset?  This seems to be a problem with the ruleset
 you are using.  I just flushed all my ipfilter rules and loaded a simple
 set like this:
 
 : # ipfstat -hnio
 : 0 @1 pass out quick on sis0 proto icmp from any to any keep state
 : 3 @2 pass out quick proto udp from any to any port = 53 keep state
 : empty list for ipfilter(in)
 
 The first rule allows DNS lookups.  The second is the rule you have
 mentioned; I've only changed fxp0 to sis0, my interface name.
 
 Outgoing icmp echo requests are passed as expected, and their incoming
 icmp echo replies are also allowed:
 
 : # ping www.otenet.gr
 : PING www.otenet.gr (62.103.128.200): 56 data bytes
 : 64 bytes from 62.103.128.200: icmp_seq=0 ttl=120 time=636.550 ms
 : ^C
 : --- www.otenet.gr ping statistics ---
 : 2 packets transmitted, 1 packets received, 50% packet loss
 : round-trip min/avg/max/stddev = 636.550/636.550/636.550/0.000 ms
 
 Incoming echo requests do not receive a reply, because there is no
 matching state to allow them in and there is no explicit allow rule for
 incoming echo requests.  Hence, echo replies are never sent from my
 workstation, unless I also add:
 
 : pass in quick on sis0 proto icmp from any to any keep state
 
 This is not a bug though.