Return-icmp doesn't work [Was: Re: Recent panics caused by pf]

[Emanuel Strobl]

Am Montag, 21. Februar 2005 19:24 schrieb Max Laier:
> On Monday 21 February 2005 15:57, Harald Schmalzbauer wrote:
> > Am Sonntag, 20. Februar 2005 19:10 schrieb Max Laier:
> > > /me slaps self ...
[...]
> > I tested your patch against RELENG_5 and the panic with "pfctl -Fall"
> > seems to be solved.
> > But I have another problem with renamed interfaces and pf:
> > The following rule can't be loaded (error: routeto: unknown interface
> > SDSL) "pass in on SDSL reply-to (SDSL $sdsl_gw) proto tcp from any to
> > $mta port 25"
[...]
> > And there are more oddities with pf and FreeBSD:
> > block return doesn't work. At least for TCP connections I don't get a
> > reset back instead it times out.
> > Also return-icmp (13) doesn't work.
>
> Hum?!? ... Are you sure about this?  I am pretty confident that it works.
> I'll have to test to make sure ... later that week/next week.  Keep me
> posted in case you find something.

I'm on the firewall again and verified that block return works for tcp-rst, 
but not for return-icmp (with or without code), it seems packets just get 
droped, regardless for which protocol (tested UDP, ICMP, TCP).

Then I have another problem which may be a design problem.
I am multihomed and have several pass reply-to rules. So far things are 
working fine but block return doesn't! Of course, the return gets over the 
default route, so what I needed is a block return route-to or something like 
that.
Do you know any detour how this could be achieved?

Thanks,

-Harry

>
> > Thanks,
> >
> >
> > -Harry (P.S.: Emanuel and Harry are the same persons (me) the gmx address
> > is just a fake identity for mailing lists)
>
> okay ... you see us perplexed ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050311/360b7bf1/attachment.bin