On 01/04/14 18:32, Kapetanakis Giannis wrote:
Hi,
I had the following rule in pf which served me well so far. After
updating today to current (from 5.4 Jan)
icmp replied from firewall stopped working.
# pfctl -sr | head -2
pass in log quick on vlan101 inet from 192.168.1.1 to (vlan101) flags
S/SA keep state (no-sync) reply-to 10.1.101.1@vlan101
pass out log quick inet from any to 192.168.1.1 flags S/SA
The actual rule is:
pass in quick log on $mgmt_if from $admin to ($mgmt_if) keep state
(no-sync) reply-to ($mgmt_if $mgmt_gw)
On pf log I get
Apr 01 18:24:03.077339 rule 0/(match) pass in on vlan101:
192.168.1.1.33831 > 10.1.101.2.22: S 2819604746:2819604746(0) win
29200 <mss 1460,sackOK,timestamp 1811982616 0,nop,wscale 9> (DF)
Apr 01 18:24:05.838976 rule 0/(match) pass in on vlan101: 192.168.1.1>
10.1.101.2: icmp: echo request (DF)
Apr 01 18:24:05.838988 rule 1/(match) pass out on vlan102: 10.1.102.2
> 192.168.1.1: icmp: echo reply (DF)\\
The ssh works fine.
The icmp reply does not get back from vlan101 (according to reply-to)
but it goes from vlan102 (route entry for 192.168.1.1).
any ideas,
Thanks
G
The latest errata seems to fix the problem
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/001_icmp.patch.sig
G
