Emanuel Strobl
2005-Mar-11 12:12 UTC
Return-icmp doesn't work [Was: Re: Recent panics caused by pf]
Am Montag, 21. Februar 2005 19:24 schrieb Max Laier:> On Monday 21 February 2005 15:57, Harald Schmalzbauer wrote: > > Am Sonntag, 20. Februar 2005 19:10 schrieb Max Laier: > > > /me slaps self ...[...]> > I tested your patch against RELENG_5 and the panic with "pfctl -Fall" > > seems to be solved. > > But I have another problem with renamed interfaces and pf: > > The following rule can't be loaded (error: routeto: unknown interface > > SDSL) "pass in on SDSL reply-to (SDSL $sdsl_gw) proto tcp from any to > > $mta port 25"[...]> > And there are more oddities with pf and FreeBSD: > > block return doesn't work. At least for TCP connections I don't get a > > reset back instead it times out. > > Also return-icmp (13) doesn't work. > > Hum?!? ... Are you sure about this? I am pretty confident that it works. > I'll have to test to make sure ... later that week/next week. Keep me > posted in case you find something.I'm on the firewall again and verified that block return works for tcp-rst, but not for return-icmp (with or without code), it seems packets just get droped, regardless for which protocol (tested UDP, ICMP, TCP). Then I have another problem which may be a design problem. I am multihomed and have several pass reply-to rules. So far things are working fine but block return doesn't! Of course, the return gets over the default route, so what I needed is a block return route-to or something like that. Do you know any detour how this could be achieved? Thanks, -Harry> > > Thanks, > > > > > > -Harry (P.S.: Emanuel and Harry are the same persons (me) the gmx address > > is just a fake identity for mailing lists) > > okay ... you see us perplexed ;)-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050311/360b7bf1/attachment.bin
Emanuel Strobl
2005-Mar-11 14:18 UTC
Return-icmp doesn't work [Was: Re: Recent panics caused by pf]
Am Freitag, 11. M?rz 2005 13:10 schrieb Emanuel Strobl:> I'm on the firewall again and verified that block return works for tcp-rst, > but not for return-icmp (with or without code), it seems packets just get > droped, regardless for which protocol (tested UDP, ICMP, TCP).Sorry for the noise, it's my mistake, ping doesn't show me the error message. I think I can remember that the last time I created/tested a ruleset (with 4.6) I got detaild error messages like "telnet: connect to address 82.135.28.195: Destination Host Unreachable" but now I just get "telnet: connect to address 82.135.28.195: Connection refused" without the error report. Is it possible that in former times these ICMP error messages were printed on the console which now the kernel doesn't anymore?> > Then I have another problem which may be a design problem. > I am multihomed and have several pass reply-to rules. So far things are > working fine but block return doesn't! Of course, the return gets over the > default route, so what I needed is a block return route-to or something > like that. > Do you know any detour how this could be achieved?This problem is still unsolved :( Thnaks, -Harry> > Thanks, > > -Harry > > > > Thanks, > > > > > > > > > -Harry (P.S.: Emanuel and Harry are the same persons (me) the gmx > > > address is just a fake identity for mailing lists) > > > > okay ... you see us perplexed ;)-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050311/1e5b47e4/attachment-0001.bin