return-icmp() relative question to ipf rule.

Remko Lodder remko at elvandar.org
Wed Oct 28 08:23:19 UTC 2009 

On Oct 26, 2009, at 4:02 PM, jhell wrote:

>
> On Mon, 26 Oct 2009 09:18, remko@ wrote:
>> On Oct 10, 2009, at 4:09 AM, jhell wrote:
>>
>>> I have a rule I used in ipfilter probably around 2 or so years ago  
>>> and I am now getting around to trying to implement in it my pf  
>>> rules. So far any results I have achieved have failed with no  
>>> response back from the server and get dropped.
>>> The rule in ipf syntax:
>>> block return-icmp-as-dest(13) in log first quick proto icmp all  
>>> icmp-type 8
>>> The above ipf rule returns a result of "Destination  
>>> Administratively Prohibited" when ping'd
>>> The following pf syntax:
>>> block return-icmp(3,13) in quick inet proto icmp from any to any  
>>> icmp-type 8 code 0
>>> The above pf rule returns a result of "Nothing ........" when ping'd
>>> Just to be sure I wasn't mucking up the chain of rules I added  
>>> this as the only rule to test it out and have achieved the same  
>>> result multiple times on a test machine.
>>> Can anyone shed some light on the syntax and help me out with  
>>> getting this rule to make the system respond to a echo request  
>>> with admin-prohib as the destination system ?
>>> Thanks
>>
>>
>> *click* (the light is on)
>>
>>         Options returning ICMP packets currently have no effect if  
>> pf(4)
>>         operates on a if_bridge(4), as the code to support this  
>> feature has
>>         not yet been implemented.
>>
>> from the Manual page. I think that answers the question?
>>
>
> Thanks Remko,
>
> No I'm not using if_bridge(4) here, nor any bridge for that matter.  
> I have tested this directly from interface -> interface with a patch  
> cable thinking that the click that I heard from the light above  
> would actually turn something on but was just throwing a breaker.


OK, yes I understand what you mean. I over-read the bridge part. My  
apologies for the confusion this caused. I am not sure whether it then  
should or should not work though. One thing that I noticed is that you  
speak about
'it was in IPF and it isn't in PF', please keep in mind that PF is a  
complete rewrite and looks similiar to IPF with syntax etc. Features  
found there are no guarantee that it will be in PF as well. Doesn't  
make up the fact that the
documentation indeed talks about it being possible and seemingly  
impossible to do it.

I added Max to the discussion, he might be able to tell whether or not  
this is integrated and whether it should work at all :-)

Thanks for catching my misread part!

-- 
/"\   Best regards,                        | remko at FreeBSD.org
\ /   Remko Lodder                      | remko at EFnet
X    http://www.evilcoder.org/    |
/ \   ASCII Ribbon Campaign    | Against HTML Mail and News

More information about the freebsd-pf mailing list