[9.1] PF drop
Olivier Cochard-Labbé
olivier at cochard.me
Mon Oct 15 15:52:26 UTC 2012
On Fri, Oct 12, 2012 at 9:42 PM, Patrick Lamaiziere
<patfbsd at davenulle.org> wrote:
> Hello,
Hi Patrick,
>
> As far I can see, PF replies with an icmp unreachable if a packet is
> droped in output, even if the block policy is "drop". Which is not the
> intented behavior.
>
I've tested with a simple lab:
PC_1 (10.0.12.1) <===> (em0) FW (em1)<===> PC_2 (10.0.23.3)
and this 3 lines rule set:
set block-policy drop
block all
pass proto tcp from em0:network to em1:network
Then I've try to ssh from PC_2 to PC_1, and all traffic are drop (no
ICMP generated): Tested on -current, 8.2-RELEASE-p6, and 9.1-RC2.
Then I've tried with your rule set adapted to my lab:
block log (all)
pass in quick to 10.0.23.3 no state
block drop out quick on em1 to 10.0.23.3
pass out quick
pass in quick inet
And I've try to ssh from PC_1 to PC_2, and all traffic are drop (no
ICMP generated) too.
One remark: I'm using pf as module (not compiled in kernel).
Regards,
Olivier
More information about the freebsd-pf
mailing list