[9.1] PF drop

Patrick Lamaiziere patfbsd at davenulle.org
Tue Oct 16 20:57:37 UTC 2012 

Le Tue, 16 Oct 2012 09:13:38 +0200,
Patrick Lamaiziere <patfbsd at davenulle.org> a écrit :

Hello,

> To be sure that states are not involved at all I've used a serial
> console on the firewall (previous tests were made with ssh).
> 
> So I don't understand why you don't reproduce this. I will make few
> more tests.

I've tested on my workstation at work running a fresh 9.1-STABLE and
I still saw "imcp unreachable".

So I don't understand...
Config of the first example (Net5501)

No special sysctl set.
$ uname -a
FreeBSD malpractice.lamaiziere.net 9.1-RC2 FreeBSD 9.1-RC2 #0 r241596:
Mon Oct 15 21:23:23 CEST 2012
root at baby-jane.lamaiziere.net:/usr/obj/usr/src/sys/GENERIC  i386

/etc/rc.conf:
background_fsck="NO"
hostname="malpractice.lamaiziere.net"

keymap="fr.iso.acc"
dumpdev="/dev/ad0s1b"
dumpdir="/usr/crash"
devfs_system_ruleset="lpt"
clear_tmp_enable="YES"

pf_enable="YES"
pflog_enable="YES"

ipv6_network_interfaces=""
ifconfig_vr0="192.168.1.254 netmask 255.255.255.0"
ifconfig_vr2="192.168.200.254 netmask 255.255.255.0"
ifconfig_vr3="10.0.200.254 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
gateway_enable="YES"

sshd_enable="YES"
sshd_flags="-u0"

sendmail_enable="YES"
sendmail_flags="-bd"
sendmail_pidfile="/var/spool/postfix/pid/master.pid"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
----------

Rules:
pfctl -s rules
No ALTQ support in kernel
ALTQ related functions disabled
block drop log (all) all
pass in quick inet from any to 192.168.200.2 no state
block drop out quick on vr2 inet from any to 192.168.200.2
pass out quick all flags S/SA keep state
pass in quick inet all flags S/SA keep state

When I ping from 192.168.1.60 to the dropped host (192.168.200.2) :
root at malpractice:/root # tcpdump -i vr0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vr0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:55:17.855511 IP 192.168.1.60 > 192.168.200.2: ICMP echo request, id 47511, seq 1072, length 64
22:55:17.855665 IP 192.168.1.254 > 192.168.1.60: ICMP host 192.168.200.2 unreachable, length 36
22:55:18.856492 IP 192.168.1.60 > 192.168.200.2: ICMP echo request, id 47511, seq 1073, length 64
22:55:18.856610 IP 192.168.1.254 > 192.168.1.60: ICMP host 192.168.200.2 unreachable, length 36

Regards.

More information about the freebsd-pf mailing list