kern/73399: ipf blocks echo replies with keep state on pass out icmp line

Ted Cabeen ted at impulse.net
Tue Nov 2 10:30:39 PST 2004 

The following reply was made to PR kern/73399; it has been noted by GNATS.

From: Ted Cabeen <ted at impulse.net>
To: Giorgos Keramidas <keramida at freebsd.org>
Cc: bug-followup at freebsd.org
Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out
 icmp line
Date: Tue, 02 Nov 2004 10:27:58 -0800

 Giorgos Keramidas <keramida at freebsd.org> writes:
 
 > On 2004-11-01 16:35, Ted Cabeen <ted at impulse.net> wrote:
 >> With the following line in /etc/ipf.rules the firewall blocks outbound
 >> echo replies:
 >> pass out quick on fxp0 proto icmp all keep state
 >
 > Can I see the full ruleset?  This seems to be a problem with the ruleset
 > you are using.  I just flushed all my ipfilter rules and loaded a simple
 > set like this:
 >
 > : # ipfstat -hnio
 > : 0 @1 pass out quick on sis0 proto icmp from any to any keep state
 > : 3 @2 pass out quick proto udp from any to any port = 53 keep state
 > : empty list for ipfilter(in)
 >
 > The first rule allows DNS lookups.  The second is the rule you have
 > mentioned; I've only changed fxp0 to sis0, my interface name.
 >
 > Outgoing icmp echo requests are passed as expected, and their incoming
 > icmp echo replies are also allowed:
 >
 > : # ping www.otenet.gr
 > : PING www.otenet.gr (62.103.128.200): 56 data bytes
 > : 64 bytes from 62.103.128.200: icmp_seq=0 ttl=120 time=636.550 ms
 > : ^C
 > : --- www.otenet.gr ping statistics ---
 > : 2 packets transmitted, 1 packets received, 50% packet loss
 > : round-trip min/avg/max/stddev = 636.550/636.550/636.550/0.000 ms
 >
 > Incoming echo requests do not receive a reply, because there is no
 > matching state to allow them in and there is no explicit allow rule for
 > incoming echo requests.  Hence, echo replies are never sent from my
 > workstation, unless I also add:
 >
 > : pass in quick on sis0 proto icmp from any to any keep state
 
 Outgoing echo requests work fine on this machine.  It's inbound
 responses that are having problems.
 
 Here's my full ruleset.  I have a rule allowing inbound echo requests,
 so it should allow the outbound reply packets.  What's interesting to
 me is that the exact same ruleset works fine on 4.X machines.
 
 -------------
 # IP filtering rules.  See the ipf(5) man page for more
 # information on the format of this file, and /usr/share/ipf
 # for example configuration files.
 
 ##
 ## Permit all localhost stuff
 ##
 pass in quick on lo0 all
 pass out quick on lo0 all
 
 ##
 ## Permit outbound stuff, except peculiar things.
 ##
 pass out quick on fxp0 proto udp all keep state
 pass out quick on fxp0 proto icmp all keep state
 pass out quick on fxp0 proto tcp all keep state
 block out log from 127.0.0.0/8 to any
 block out log from any to 127.0.0.0/8
 block out log from any to black
 
 ##
 ## Block & log wacky stuff: options, shorts, spoofs, etc.
 ##
 #block in log quick from any to any with ipopts
 #block in log quick proto tcp from any to any with short
 
 ##
 ## More specifically, block from/to localhost and invalid networks
 ##
 block in log quick from 192.168.0.0/16 to any
 block in log quick from 172.16.0.0/12 to any
 block in log quick from 10.0.0.0/8 to any
 block in log quick on fxp0 from 127.0.0.0/8 to any 
 block in log quick on fxp0 from 0.0.0.0/8 to any
 block in log quick on fxp0 from 169.254.0.0/16 to any
 block in log quick on fxp0 from 192.0.2.0/24 to any
 block in log quick on fxp0 from 204.152.64.0/23 to any
 block in log quick on fxp0 from 224.0.0.0/3 to any
 block in log quick on fxp0 from black to any 
 block out log quick on fxp0 from any to 192.168.0.0/16
 block out log quick on fxp0 from any to 172.16.0.0/12
 block out log quick on fxp0 from any to 10.0.0.0/8
 block out log quick on fxp0 from any to 0.0.0.0/8
 block out log quick on fxp0 from any to 127.0.0.0/8
 block out log quick on fxp0 from any to 169.254.0.0/16
 block out log quick on fxp0 from any to 192.0.2.0/24
 block out log quick on fxp0 from any to 204.152.64.0/23
 block out log quick on fxp0 from any to 224.0.0.0/3
 
 ##
 ## ICMP rules
 ##
 pass in quick on fxp0 proto icmp from any to black icmp-type 0
 pass in quick on fxp0 proto icmp from any to black icmp-type 8
 pass in quick on fxp0 proto icmp from any to black icmp-type 11
 
 # Allow SSH in from 64 net
 pass in quick proto tcp from 207.154.64.0/23 to black port = 22 flags S keep state 
 pass in quick proto tcp from 64.4.129.0/24 to black port = 22 flags S keep state 
 
 # Allow monitoring from demon
 pass in quick proto udp from 207.154.64.163/32 to black port = 161 keep state
 pass in quick proto tcp from 207.154.64.163/32 to black port = 5666 flags S keep state
 
 # Allow Amanda from 64 net
 pass in quick proto udp from 207.154.64.0/24 port = 10080 to black keep state
 pass in quick proto udp from 207.154.84.24/32 port = 10080 to black keep state
 pass in quick proto tcp from 207.154.64.174/32 to 207.154.64.33/32 port = 63425 flags S keep state
 
 ##
 ## Block and log inbound traffic, just in case.
 ##
 block return-rst in log quick on fxp0 proto tcp all
 block return-icmp(port-unr) in log quick on fxp0 proto udp all
 block in log on fxp0 all 
 
 
 -- 
 Ted Cabeen
 Sr. Systems/Network Administrator
 Impulse Internet Services

More information about the freebsd-bugs mailing list