icmp-type echoreq not matching resulting ttl exceeded
Ermal Luçi
eri at freebsd.org
Fri Nov 29 15:23:30 UTC 2013
On Fri, Nov 29, 2013 at 2:53 PM, Ian FREISLICH <ianf at clue.co.za> wrote:
> =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote:
> > On Fri, Nov 29, 2013 at 1:28 PM, Ian FREISLICH <ianf at clue.co.za> wrote:
> > > At some point this stopped working. I was able to use traceroute -I
> > > This rule let the echo request out and the resulting TTL exceeded
> > > was matched and allowed back in.
> >
> > Which freeBSD version you are testing this?
> > Normally it should just work unless the reply src ip is different from
> your
> > sent dstip.
>
> I'm using 11.0-CURRENT #41 r258736 and if bound state. This doesn't
> work from the host or from a host on any interface that has the
> rule:
>
You tried if relaxing the if-bound rule it succeeds.
Other than that the code is similar there on all pf versions for matching
icmp state based on these specific returns.
>
> pass out inet proto icmp from <ournets> to any icmp-type echoreq
>
> All interfaces have 'pass in all'
>
> So for instance a host on vlan21 cannot traceroute to a host off vlan23:
>
> [rv1.jnb1] ~ $ traceroute -w1 -I router.lsn102
> traceroute to router.lsn102.gp-online.net (41.154.14.81), 64 hops max, 72
> byte packets
> 1 firewall1.vlan21.jnb1.gp-online.net (41.154.0.58) 0.195 ms 0.152 ms
> 0.169 ms
> 2 * * *
> 3 * * *
> 4 * * *
> 5 * * *
> 6 * * *
> 7 bridge1.router.lsn102.gp-online.net (41.154.14.81) 4.080 ms 5.859
> ms 6.832 ms
>
> However, the traffic is not being denied, or at least it's not being
> logged and all my block rules log.
>
> When the source interface does not have the rule
> pass out inet proto icmp from <ournets> to any icmp-type echoreq
> then the traceroute is successful.
>
> Ian
>
> --
> Ian Freislich
>
--
Ermal
More information about the freebsd-pf
mailing list