The following reply was made to PR system/6564; it has been noted by GNATS.
From: Mike Belopuhov <[email protected]> To: [email protected] Cc: [email protected] Subject: Re: system/6564: pf not nating(does not see) icmp4 port unreachable packets from machine behind pf Date: Thu, 17 Feb 2011 11:50:10 +0100 On Thu, Feb 17, 2011 at 12:51 +1100, [email protected] wrote: > >Number: 6564 > >Category: system > >Synopsis: nating icmp4 port unreachable > >Confidential: yes > >Severity: serious > >Priority: medium > >Responsible: bugs > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: sw-bug > >Submitter-Id: unknown > >Arrival-Date: Thu Feb 17 02:50:01 GMT 2011 > >Closed-Date: > >Last-Modified: > >Originator: > >Release: > >Organization: > >Environment: > System : OpenBSD 4.9 > Details : OpenBSD 4.9 (GENERIC) #0: Thu Feb 17 09:10:06 MAGT 2011 > root@gw:/usr/src/sys/arch/i386/compile/GENERIC > > Architecture: OpenBSD.i386 > Machine : i386 > >Description: > pf rules: > match in on $int inet from $int_network_machine to any tag PASS > match out on $ext inet from $int_network_machine to any tag PASS nat-to $ext > static-port > match in on $ext inet from any to $ext tag PASS rdr-to $int_network_machine > pass all flags S/SA keep state tagged PASS > tcpdump on $ext: > $int_network_machine > $some_external_machine: icmp: $ext udp port > $any_unresponsive_port unreachable > pf does not see this packet as icmp > >How-To-Repeat: > send any udp packet to $ext in $any_unresponsive_port on $int_network_machine > tested on 47,48,49 > >Fix: it should work just fine starting with 4.8. at least, in -current i get icmp port unreachable correctly translated with your pf.conf. so check your configs.
