[9.1] PF drop
Patrick Lamaiziere
patfbsd at davenulle.org
Fri Oct 12 19:42:46 UTC 2012
Hello,
As far I can see, PF replies with an icmp unreachable if a packet is
droped in output, even if the block policy is "drop". Which is not the
intented behavior.
I've made few tests with this setup
host1 (192.168.1.60)<->(vr0:192.168.1.254) PF (vr2:192.168.200.254)
<-> host2 (192.168.200.2)
If I block in incoming (ie on vr0) the trafic to 192.168.202 the packet
is simply droped.
Rules (the no state is here to ensure that states is not
the probleme):
block log (all)
pass in quick to 192.168.200.2 no state
block drop out quick on vr2 to 192.168.200.2
pass out quick
pass in quick inet
When I ping or ssh the filtered host:
host1:
$ ssh 192.168.200.2
ssh: connect to host 192.168.200.2 port 22: No route to host
tcpdump on the firewall (vr0)
21:36:50.328825 IP 192.168.1.254 > 192.168.1.60: ICMP host
192.168.200.2 unreachable, length 68
The good news is that packets are filtered on output.
I see a similar behavior on OpenBSD 5.1, but this is not systematic.
Any idea?
Thanks, regards.
More information about the freebsd-pf
mailing list