kern/73399: ipf blocks echo replies with keep state on pass out
icmp line
Ted Cabeen
ted at impulse.net
Wed Nov 3 11:10:16 PST 2004
The following reply was made to PR kern/73399; it has been noted by GNATS.
From: Ted Cabeen <ted at impulse.net>
To: Giorgos Keramidas <keramida at freebsd.org>
Cc: bug-followup at freebsd.org
Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out
icmp line
Date: Wed, 03 Nov 2004 11:09:17 -0800
Giorgos Keramidas <keramida at freebsd.org> writes:
> On 2004-11-02 10:27, Ted Cabeen <ted at impulse.net> wrote:
>> Giorgos Keramidas <keramida at freebsd.org> writes:
>> > On 2004-11-01 16:35, Ted Cabeen <ted at impulse.net> wrote:
>> >> With the following line in /etc/ipf.rules the firewall blocks outbound
>> >> echo replies:
>> >> pass out quick on fxp0 proto icmp all keep state
>> >
>> > Can I see the full ruleset? This seems to be a problem with the ruleset
>> > you are using.
>>
> !grep icmp rules
>> pass out quick on fxp0 proto icmp all keep state
>> pass in quick on fxp0 proto icmp from any to black icmp-type 0
>> pass in quick on fxp0 proto icmp from any to black icmp-type 8
>> pass in quick on fxp0 proto icmp from any to black icmp-type 11
>> block return-icmp(port-unr) in log quick on fxp0 proto udp all
>
> Your ruleset uses `keep state' for outgoing icmps but not for the icmp-types
> 0, 8 and 11. I'm not sure how ipfilter keeps states internally, but can you
> try one of the following?
>
> a. Add 'keep state' to the input rules too, or
>
> b. Replace all your icmp rules with a pair like this:
>
> pass in icmp all
> pass out icmp all
>
> If (a) doesn't work but (b) works, we'll have to look at this in more
> detail. If they both work, it's probably a lot faster to keep (b) and
> use the net.inet.icmp.icmplim sysctl to limit the rate of icmp packets ;-)
(a) works, so I'll probably just go with that. Thanks for the input.
--
Ted Cabeen
Sr. Systems/Network Administrator
Impulse Internet Services
More information about the freebsd-bugs
mailing list