"BAD ICMP" message

Sebastiaan van Erk sebster at sebster.com
Thu Apr 23 05:05:58 UTC 2009 

Hi,

I have the following setup:

[openvpn client 10.0.80.150] -> internet -> [vpn server 10.0.80.77] -> 
internet -> [openvpn client 10.0.80.4]

The VPN server has 2 backups with CARP [.76, .75, shared IP .74] though 
I don't use the CARP failover for their role as VPN server but only for 
their role as gateway for the 10.0.80.0/24 network. For the VPN I use 
failover by specifying multiple "remote" lines to their respective 
external addresses in the openvpn client config.

When I try a ssh from 10.0.80.150 to 10.0.80.4 I get to enter my 
password and sometimes even a few commands, but then pf suddenly starts 
blocking the connection with the following message:

1. 033789 rule 10/0(match): block in on em1: 10.0.80.150.51422 > 
10.0.80.4.22: [|tcp]
2. 079427 rule 10/0(match): block in on em1: 10.0.80.150.51422 > 
10.0.80.4.22: [|tcp]
4. 161413 rule 10/0(match): block in on em1: 10.0.80.150.51422 > 
10.0.80.4.22: [|tcp]
8. 319210 rule 10/0(match): block in on em1: 10.0.80.150.51422 > 
10.0.80.4.22: [|tcp]

The 10 rule is the catch-all rule:

@10 block drop log all

I turned up the debug to load using pfctl -xl and I see these BAD ICMP 
messages just before the state of the above connection disappears from 
the state table and the connection gets blocked:

Apr 23 06:58:38 vpn3 kernel: pf: loose state match: TCP 
10.0.80.150:51422 10.0.80.150:51422 10.0.80.4:22 [lo=3150927679 
high=3150923785 win=692 modulator=0] [lo=0 high=692 win=1 modulator=0] 
2:0 A seq=3150927679 (3150927679) ack=0 len=0 ackskew=0 pkts=77:0
Apr 23 06:58:38 vpn3 kernel: pf: BAD ICMP 5:1 10.0.80.77 -> 10.0.80.150 
state: TCP 10.0.80.4:22 10.0.80.4:22 10.0.80.150:51422 [lo=3150927679 
high=3150923785 win=692 modulator=0] [lo=0 high=692 win=1 modulator=0] 
2:0 seq=3150927679

I see this message several times and the connection no longer works 
after that.

Does anybody know what's going on and how I can fix it?

Many thanks,
Sebastiaan van Erk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3328 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090423/6740f599/smime.bin

More information about the freebsd-pf mailing list