Return-icmp doesn't work [Was: Re: Recent panics caused by pf]
emanuel.strobl at gmx.net
Fri Mar 11 12:11:15 GMT 2005
Am Montag, 21. Februar 2005 19:24 schrieb Max Laier:
> On Monday 21 February 2005 15:57, Harald Schmalzbauer wrote:
> > Am Sonntag, 20. Februar 2005 19:10 schrieb Max Laier:
> > > /me slaps self ...
> > I tested your patch against RELENG_5 and the panic with "pfctl -Fall"
> > seems to be solved.
> > But I have another problem with renamed interfaces and pf:
> > The following rule can't be loaded (error: routeto: unknown interface
> > SDSL) "pass in on SDSL reply-to (SDSL $sdsl_gw) proto tcp from any to
> > $mta port 25"
> > And there are more oddities with pf and FreeBSD:
> > block return doesn't work. At least for TCP connections I don't get a
> > reset back instead it times out.
> > Also return-icmp (13) doesn't work.
> Hum?!? ... Are you sure about this? I am pretty confident that it works.
> I'll have to test to make sure ... later that week/next week. Keep me
> posted in case you find something.
I'm on the firewall again and verified that block return works for tcp-rst,
but not for return-icmp (with or without code), it seems packets just get
droped, regardless for which protocol (tested UDP, ICMP, TCP).
Then I have another problem which may be a design problem.
I am multihomed and have several pass reply-to rules. So far things are
working fine but block return doesn't! Of course, the return gets over the
default route, so what I needed is a block return route-to or something like
Do you know any detour how this could be achieved?
> > Thanks,
> > -Harry (P.S.: Emanuel and Harry are the same persons (me) the gmx address
> > is just a fake identity for mailing lists)
> okay ... you see us perplexed ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050311/360b7bf1/attachment.bin
More information about the freebsd-pf