icmp-type echoreq not matching resulting ttl exceeded
Gleb Smirnoff
glebius at FreeBSD.org
Wed Dec 4 13:34:13 UTC 2013
Ian,
On Fri, Nov 29, 2013 at 02:28:27PM +0200, Ian FREISLICH wrote:
I> At some point this stopped working. I was able to use traceroute -I
I> This rule let the echo request out and the resulting TTL exceeded
I> was matched and allowed back in.
I>
I> pass out inet proto icmp from <ournets> to any icmp-type echoreq
I>
I> I've had to change the rule to the following to keep traceroute going:
I>
I> pass out inet proto icmp from <ournets> to any
This is probably related to r257223. Baptiste, any ideas?
Ian, is it possible to reproduce this on a single host? What pf.conf
and traceroute command are required?
--
Totus tuus, Glebius.
More information about the freebsd-pf
mailing list