can't ping

Thu Jul 17 15:03:48 UTC 2008

	After upgrading a -CURRENT box from the April 19 version to one
from yesterday, ping on that box seems to be broken.  (I noticed the
behavior today; I don't know whether it's directly related to the
upgrade or not.)
	Specifically:

huff@>> netstat -rn -f inet
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            209.6.22.1         UGS         0  1917213    em0
10.0.0.0/8         link#2             UC          0        0    em1
10.0.0.1           00:0e:0c:a8:a7:e9  UHLW        1    38374    lo0
10.255.255.255     ff:ff:ff:ff:ff:ff  UHLWb       1      267    em1
127.0.0.1          127.0.0.1          UH          0   272685    lo0
209.6.22.0/23      link#1             UC          0        0    em0
209.6.22.1         00:0d:66:25:50:01  UHLW        2       25    em0   1196
209.6.22.188       00:0e:0c:a8:a7:e8  UHLW        1        6    lo0
209.6.23.255       ff:ff:ff:ff:ff:ff  UHLWb       1      267    em0

huff@>> ping 209.6.22.188
PING 209.6.22.188 (209.6.22.188): 56 data bytes
64 bytes from 209.6.22.188: icmp_seq=0 ttl=64 time=0.075 ms
64 bytes from 209.6.22.188: icmp_seq=1 ttl=64 time=0.093 ms
64 bytes from 209.6.22.188: icmp_seq=2 ttl=64 time=0.086 ms
64 bytes from 209.6.22.188: icmp_seq=3 ttl=64 time=0.078 ms
64 bytes from 209.6.22.188: icmp_seq=4 ttl=64 time=0.090 ms

huff@>> ping 209.6.22.1
PING 209.6.22.1 (209.6.22.1): 56 data bytes
^C
--- 209.6.22.1 ping statistics ---
10 packets transmitted, 0 packets received, 100.0% packet loss

	I have a firewall; rules are appended.
	The wierd part is other connectivity works: I can ftp,
web-surf, telnet, etc..
	Any ideas on what's broken?


				Robert Huff


00100  630662  280315972 allow ip from any to any via lo0
00200       0          0 deny ip from any to 127.0.0.0/8
00300       0          0 deny ip from 127.0.0.0/8 to any
00350   11780    5065589 allow udp from any 67-68 to any dst-port 67-68
00600       0          0 allow ip6 from any to any via lo0
00610       0          0 deny ip6 from any to ::1
00620       0          0 deny ip6 from ::1 to any
00630      36       2304 allow ip6 from :: to ff02::/16 proto ipv6-icmp
00640       0          0 allow ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp
00650      47       3384 allow ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp
00660       0          0 allow ip6 from 2001:db8:2:1::1 to 2001:db8:2:1::/64
00670       0          0 allow ip6 from 2001:db8:2:1::/64 to 2001:db8:2:1::1
00680       0          0 allow ip6 from fe80::/10 to ff02::/16
00690       0          0 allow ip6 from 2001:db8:2:1::/64 to ff02::/16
00700       0          0 allow ip6 from any to any established proto tcp
00710       0          0 allow ip6 from any to any frag
00720       0          0 allow ip6 from any to 2001:db8:2:1::1 dst-port 25 setup proto tcp
00730       0          0 allow ip6 from 2001:db8:2:1::1 to any setup proto tcp
00740       4        320 deny ip6 from any to any setup proto tcp
00750       0          0 allow ip6 from any 53 to 2001:db8:2:1::1 proto udp
00760       0          0 allow ip6 from 2001:db8:2:1::1 to any dst-port 53 proto udp
00770       0          0 allow ip6 from any 123 to 2001:db8:2:1::1 proto udp
00780       0          0 allow ip6 from 2001:db8:2:1::1 to any dst-port 123 proto udp
00790       0          0 allow ip6 from any to any ip6 icmp6types 1 proto ipv6-icmp
00800    1415      90560 allow ip6 from any to any ip6 icmp6types 2,135,136 proto ipv6-icmp
06000       0          0 deny log logamount 100 tcp from any to any dst-port 137 in via em0
06050      32       3000 deny log logamount 100 udp from any to any dst-port 137 in via em0
06100       0          0 deny log logamount 100 tcp from any to any dst-port 138 in via em0
06150     235      56158 deny log logamount 100 udp from any to any dst-port 138 in via em0
06200       0          0 deny log logamount 100 tcp from any to any dst-port 139 in via em0
06250       0          0 deny log logamount 100 udp from any to any dst-port 139 in via em0
07000       0          0 deny log logamount 100 tcp from any to any dst-port 111 in via em0
07050       0          0 deny log logamount 100 udp from any to any dst-port 111 in via em0
07100       0          0 deny log logamount 100 tcp from any to any dst-port 530 in via em0
07150       0          0 deny log logamount 100 udp from any to any dst-port 530 in via em0
07200       0          0 deny log logamount 100 tcp from any to any dst-port 161 in recv em0
07225       0          0 deny log logamount 100 udp from any to any dst-port 161 in recv em0
07250       0          0 deny log logamount 100 tcp from any to any dst-port 162 in recv em0
07275       0          0 deny log logamount 100 udp from any to any dst-port 162 in recv em0
07300       0          0 deny log logamount 100 tcp from any to any dst-port 194
07310       0          0 deny log logamount 100 udp from any to any dst-port 194
07320       0          0 deny log logamount 100 tcp from any to any dst-port 529
07330       0          0 deny log logamount 100 udp from any to any dst-port 529
07340       0          0 deny log logamount 100 tcp from any to any dst-port 994
07350       0          0 deny log logamount 100 udp from any to any dst-port 994
07360       0          0 deny log logamount 100 tcp from any to any dst-port 6667
07370      23       2341 deny log logamount 100 udp from any to any dst-port 6667
10000 2229463 1617354881 allow tcp from any to any established
10100  631216   58860463 allow ip from any to any out via em0
10200       0          0 allow tcp from 10.0.0.0/8 to any dst-port 80
10300       0          0 allow tcp from any 80 to any dst-port 1024-65535 via em0
10400       0          0 allow tcp from any 443 to any dst-port 1024-65535 via em0
10500       0          0 deny log logamount 100 tcp from any 1024-65535 to any dst-port 80 via em0
10600       0          0 deny log logamount 100 tcp from any 1024-65535 to any dst-port 443 via em0
65000  776246   50780785 allow ip from any to any
65535     122       7329 deny ip from any to any