Hello, As far I can see, PF replies with an icmp unreachable if a packet is droped in output, even if the block policy is "drop". Which is not the intented behavior.
I've made few tests with this setup host1 (192.168.1.60)<->(vr0:192.168.1.254) PF (vr2:192.168.200.254) <-> host2 (192.168.200.2) If I block in incoming (ie on vr0) the trafic to 192.168.202 the packet is simply droped. Rules (the no state is here to ensure that states is not the probleme): block log (all) pass in quick to 192.168.200.2 no state block drop out quick on vr2 to 192.168.200.2 pass out quick pass in quick inet When I ping or ssh the filtered host: host1: $ ssh 192.168.200.2 ssh: connect to host 192.168.200.2 port 22: No route to host tcpdump on the firewall (vr0) 21:36:50.328825 IP 192.168.1.254 > 192.168.1.60: ICMP host 192.168.200.2 unreachable, length 68 The good news is that packets are filtered on output. I see a similar behavior on OpenBSD 5.1, but this is not systematic. Any idea? Thanks, regards. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
