Re: ICMP Issues FreeBSD

Tue, 15 Mar 2005 12:38:25 -0800 

On Tue, 15 Mar 2005, Andre Albsmeier wrote:

On Mon, 14-Mar-2005 at 18:01:33 -0500, Mario Antonio wrote: 
I am running IPF v3.4.35 in FreeBSD 4.11-RELEASE
For the last years I have been running IPF without any problem, but last
week after upgrading three machines from FreeBSD
4.9-RELEASE to 4.11-RELEASE, I have been having some issues.

First I needed to recompile the kernel with IPv6 support for IPF to work
(Ok, I took care of that)


One of the problems I am having is that I cannot make the machine pingable.
The problem is in the outbound rules since when I
flush them (ipf -Fo), the machine becomes pingable.
the weird thing is not even ICMP logs are recorded

This is the only  set of rules for outbound:

============================================================================
=======
block out log  quick on fxp0 all   head 30
# Internet Outbound
pass out quick on fxp0 proto tcp from any to any keep state keep frags group
30
pass out quick on fxp0 proto udp from any to any keep state keep frags group
30
pass out quick on fxp0 proto icmp from any to any keep state keep frags
group 30
============================================================================
========

I have also tried the following rule, and the result is the same:
pass out  quick on fxp0 all keep state keep frags



Someone already posted an email in this mailing list on  2004-08-15 17:48:24
saying that :"Everything worked before 3.4.35 was MFC'ed to FreeBSD
4.10-STABLE"


That was me :-)


Am I missing something? 

The patch in

http://lists.freebsd.org/pipermail/freebsd-net/2004-November/005577.html

fixes _my_ problem w.r.t. returning ICMP packets. Maybe it fixes yours
as well, maybe it kills your machine :-).

Should that go in the 4.11 errata page perhaps? Is ipfilter on it's way out of FreeBSD in favor of pf? Just need to get a handle on this going forward, as I've got a ton of hosts running ipf that are getting the 4.11 upgrade very soon.

Anyhow, I was able to get my icmp back by reordering where my "quick" icmp rules fell... For whatever that's worth.

Charles

        -Andre

--
Windows NT Multitasking: Messing up several things at once.

Reply via email to