On Fri, Nov 29, 2013 at 2:53 PM, Ian FREISLICH <i...@clue.co.za> wrote:
> =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote: > > On Fri, Nov 29, 2013 at 1:28 PM, Ian FREISLICH <i...@clue.co.za> wrote: > > > At some point this stopped working. I was able to use traceroute -I > > > This rule let the echo request out and the resulting TTL exceeded > > > was matched and allowed back in. > > > > Which freeBSD version you are testing this? > > Normally it should just work unless the reply src ip is different from > your > > sent dstip. > > I'm using 11.0-CURRENT #41 r258736 and if bound state. This doesn't > work from the host or from a host on any interface that has the > rule: > You tried if relaxing the if-bound rule it succeeds. Other than that the code is similar there on all pf versions for matching icmp state based on these specific returns. > > pass out inet proto icmp from <ournets> to any icmp-type echoreq > > All interfaces have 'pass in all' > > So for instance a host on vlan21 cannot traceroute to a host off vlan23: > > [rv1.jnb1] ~ $ traceroute -w1 -I router.lsn102 > traceroute to router.lsn102.gp-online.net (41.154.14.81), 64 hops max, 72 > byte packets > 1 firewall1.vlan21.jnb1.gp-online.net (41.154.0.58) 0.195 ms 0.152 ms > 0.169 ms > 2 * * * > 3 * * * > 4 * * * > 5 * * * > 6 * * * > 7 bridge1.router.lsn102.gp-online.net (41.154.14.81) 4.080 ms 5.859 > ms 6.832 ms > > However, the traffic is not being denied, or at least it's not being > logged and all my block rules log. > > When the source interface does not have the rule > pass out inet proto icmp from <ournets> to any icmp-type echoreq > then the traceroute is successful. > > Ian > > -- > Ian Freislich > -- Ermal _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
