kern/73399: ipf blocks echo replies with keep state on pass out icmp line

[Giorgos Keramidas]

The following reply was made to PR kern/73399; it has been noted by GNATS.

From: Giorgos Keramidas <keramida at freebsd.org>
To: Ted Cabeen <ted at impulse.net>
Cc: bug-followup at freebsd.org
Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line
Date: Wed, 3 Nov 2004 00:30:30 +0200

 On 2004-11-02 10:27, Ted Cabeen <ted at impulse.net> wrote:
 > Giorgos Keramidas <keramida at freebsd.org> writes:
 > > On 2004-11-01 16:35, Ted Cabeen <ted at impulse.net> wrote:
 > >> With the following line in /etc/ipf.rules the firewall blocks outbound
 > >> echo replies:
 > >> pass out quick on fxp0 proto icmp all keep state
 > >
 > > Can I see the full ruleset?  This seems to be a problem with the ruleset
 > > you are using.
 >
 !grep icmp rules
 > pass out quick on fxp0 proto icmp all keep state
 > pass in quick on fxp0 proto icmp from any to black icmp-type 0
 > pass in quick on fxp0 proto icmp from any to black icmp-type 8
 > pass in quick on fxp0 proto icmp from any to black icmp-type 11
 > block return-icmp(port-unr) in log quick on fxp0 proto udp all
 
 Your ruleset uses `keep state' for outgoing icmps but not for the icmp-types
 0, 8 and 11.  I'm not sure how ipfilter keeps states internally, but can you
 try one of the following?
 
 a. Add 'keep state' to the input rules too, or
 
 b. Replace all your icmp rules with a pair like this:
 
 	pass in icmp all
 	pass out icmp all
 
 If (a) doesn't work but (b) works, we'll have to look at this in more
 detail.  If they both work, it's probably a lot faster to keep (b) and
 use the net.inet.icmp.icmplim sysctl to limit the rate of icmp packets ;-)