I'm guessing its because the default state policy is floating. Just
looking at the rules provided, the traffic should be able to pass
through. Try either pulling the "keep state" option, or setting the
state policy to if-bound, and see what happens.
So if it should be working now, why isn't it? For a sanity check, try
opening the rules and pinging the host from the firewall.
Joe
On 10/12/06, Martin Gignac <[EMAIL PROTECTED]> wrote:
Consider the following setup (OpenBSD 4.0-current):
Win PC ----> (vlan1) [OpenSD FW] (vlan0) ----> Host
1. With the following pf ruleset:
set skip on { lo0 }
scrub all fragment reassemble
block drop all
A ping command on the Windows PC towards the Host (172.23.1.21) gives
the following (expected) result:
-----------------------------------------------------
Pinging 172.23.1.21 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.23.1.21:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
-----------------------------------------------------
2. However, with the following ruleset:
set skip on { lo0 }
scrub all fragment reassemble
block drop all
pass in on vlan1 inet all flags S/SA keep state
Here is what I get:
-----------------------------------------------------
Pinging 172.23.1.21 with 32 bytes of data:
Reply from 172.23.66.1: Destination host unreachable.
Reply from 172.23.66.1: Destination host unreachable.
Reply from 172.23.66.1: Destination host unreachable.
Reply from 172.23.66.1: Destination host unreachable.
Ping statistics for 172.23.1.21:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
-----------------------------------------------------
As I understand it in #1 the echo-request packets are simply dropped
by the 'block drop all' for the vlan1 interface and nothing is
returned.
However, at #2 I expected the same behavior because although the
packets are "let through" on the vlan1 interface, the way I see it the
vlan0 interface matches the 'block drop all' rule and I simply assumed
that the echo-request packet would be dropped as well. However, I was
surprised to see ICMP host unreachable messages being sent back from
the OpenBSD firewall.
What am I doing wrong? How can I keep putting the "blocking" step on
the "outbound" interface and yet *not* return any ICMP unreachable
packets when traffic is blocked?
Thanks,
-Martin
--
"Suburbia is where the developer bulldozes out the trees, then names
the streets after them."
--Bill Vaughan
