kern/73399: ipf blocks echo replies with keep state on pass out
icmp line
Ted Cabeen
ted at impulse.net
Tue Nov 2 10:30:39 PST 2004
The following reply was made to PR kern/73399; it has been noted by GNATS.
From: Ted Cabeen <ted at impulse.net>
To: Giorgos Keramidas <keramida at freebsd.org>
Cc: bug-followup at freebsd.org
Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out
icmp line
Date: Tue, 02 Nov 2004 10:27:58 -0800
Giorgos Keramidas <keramida at freebsd.org> writes:
> On 2004-11-01 16:35, Ted Cabeen <ted at impulse.net> wrote:
>> With the following line in /etc/ipf.rules the firewall blocks outbound
>> echo replies:
>> pass out quick on fxp0 proto icmp all keep state
>
> Can I see the full ruleset? This seems to be a problem with the ruleset
> you are using. I just flushed all my ipfilter rules and loaded a simple
> set like this:
>
> : # ipfstat -hnio
> : 0 @1 pass out quick on sis0 proto icmp from any to any keep state
> : 3 @2 pass out quick proto udp from any to any port = 53 keep state
> : empty list for ipfilter(in)
>
> The first rule allows DNS lookups. The second is the rule you have
> mentioned; I've only changed fxp0 to sis0, my interface name.
>
> Outgoing icmp echo requests are passed as expected, and their incoming
> icmp echo replies are also allowed:
>
> : # ping www.otenet.gr
> : PING www.otenet.gr (62.103.128.200): 56 data bytes
> : 64 bytes from 62.103.128.200: icmp_seq=0 ttl=120 time=636.550 ms
> : ^C
> : --- www.otenet.gr ping statistics ---
> : 2 packets transmitted, 1 packets received, 50% packet loss
> : round-trip min/avg/max/stddev = 636.550/636.550/636.550/0.000 ms
>
> Incoming echo requests do not receive a reply, because there is no
> matching state to allow them in and there is no explicit allow rule for
> incoming echo requests. Hence, echo replies are never sent from my
> workstation, unless I also add:
>
> : pass in quick on sis0 proto icmp from any to any keep state
Outgoing echo requests work fine on this machine. It's inbound
responses that are having problems.
Here's my full ruleset. I have a rule allowing inbound echo requests,
so it should allow the outbound reply packets. What's interesting to
me is that the exact same ruleset works fine on 4.X machines.
-------------
# IP filtering rules. See the ipf(5) man page for more
# information on the format of this file, and /usr/share/ipf
# for example configuration files.
##
## Permit all localhost stuff
##
pass in quick on lo0 all
pass out quick on lo0 all
##
## Permit outbound stuff, except peculiar things.
##
pass out quick on fxp0 proto udp all keep state
pass out quick on fxp0 proto icmp all keep state
pass out quick on fxp0 proto tcp all keep state
block out log from 127.0.0.0/8 to any
block out log from any to 127.0.0.0/8
block out log from any to black
##
## Block & log wacky stuff: options, shorts, spoofs, etc.
##
#block in log quick from any to any with ipopts
#block in log quick proto tcp from any to any with short
##
## More specifically, block from/to localhost and invalid networks
##
block in log quick from 192.168.0.0/16 to any
block in log quick from 172.16.0.0/12 to any
block in log quick from 10.0.0.0/8 to any
block in log quick on fxp0 from 127.0.0.0/8 to any
block in log quick on fxp0 from 0.0.0.0/8 to any
block in log quick on fxp0 from 169.254.0.0/16 to any
block in log quick on fxp0 from 192.0.2.0/24 to any
block in log quick on fxp0 from 204.152.64.0/23 to any
block in log quick on fxp0 from 224.0.0.0/3 to any
block in log quick on fxp0 from black to any
block out log quick on fxp0 from any to 192.168.0.0/16
block out log quick on fxp0 from any to 172.16.0.0/12
block out log quick on fxp0 from any to 10.0.0.0/8
block out log quick on fxp0 from any to 0.0.0.0/8
block out log quick on fxp0 from any to 127.0.0.0/8
block out log quick on fxp0 from any to 169.254.0.0/16
block out log quick on fxp0 from any to 192.0.2.0/24
block out log quick on fxp0 from any to 204.152.64.0/23
block out log quick on fxp0 from any to 224.0.0.0/3
##
## ICMP rules
##
pass in quick on fxp0 proto icmp from any to black icmp-type 0
pass in quick on fxp0 proto icmp from any to black icmp-type 8
pass in quick on fxp0 proto icmp from any to black icmp-type 11
# Allow SSH in from 64 net
pass in quick proto tcp from 207.154.64.0/23 to black port = 22 flags S keep state
pass in quick proto tcp from 64.4.129.0/24 to black port = 22 flags S keep state
# Allow monitoring from demon
pass in quick proto udp from 207.154.64.163/32 to black port = 161 keep state
pass in quick proto tcp from 207.154.64.163/32 to black port = 5666 flags S keep state
# Allow Amanda from 64 net
pass in quick proto udp from 207.154.64.0/24 port = 10080 to black keep state
pass in quick proto udp from 207.154.84.24/32 port = 10080 to black keep state
pass in quick proto tcp from 207.154.64.174/32 to 207.154.64.33/32 port = 63425 flags S keep state
##
## Block and log inbound traffic, just in case.
##
block return-rst in log quick on fxp0 proto tcp all
block return-icmp(port-unr) in log quick on fxp0 proto udp all
block in log on fxp0 all
--
Ted Cabeen
Sr. Systems/Network Administrator
Impulse Internet Services
More information about the freebsd-bugs
mailing list