kern/75036: pf / icmp 64 / operation wrongully not permitted?
Daniel Hartmeier
daniel at benzedrine.cx
Tue Dec 14 02:50:26 PST 2004
The following reply was made to PR kern/75036; it has been noted by GNATS.
From: Daniel Hartmeier <daniel at benzedrine.cx>
To: Arne =?iso-8859-1?Q?W=F6rner?= <arne_woerner at yahoo.com>
Cc: freebsd-gnats-submit at freebsd.org
Subject: Re: kern/75036: pf / icmp 64 / operation wrongully not permitted?
Date: Tue, 14 Dec 2004 11:47:16 +0100
On Mon, Dec 13, 2004 at 11:37:06PM +0000, Arne Wörner wrote:
> >Number: 75036
> >Synopsis: pf / icmp 64 / operation wrongully not permitted?
> I just tried to do
> ping -R localhost
> With pf enabled: The ping command says that the operation is not permitted.
Record route (-R) is an IP option. By default, pf blocks all packets
with IP options, unless the last-matching rule contains the 'allow-opts'
keyword.
Here's the relevant section from pf.conf(5)
allow-opts
By default, packets which contain IP options are blocked. When
allow-opts is specified for a pass rule, packets that pass the fil-
ter based on that rule (last matching) do so even if they contain
IP options. For packets that match state, the rule that initially
created the state is used. The implicit pass rule that is used
when a packet does not match any rules does not allow IP options.
> pass in quick on lo0 all
> pass out quick on lo0 all
Try
pass in quick on lo0 all allow-opts
pass out quick on lo0 all allow-opts
Daniel
More information about the freebsd-bugs
mailing list