Charles, By any chance, can I get of copy of your working icmp rules?
----- Original Message ----- From: "Charles Sprickman" <[EMAIL PROTECTED]> To: "Andre Albsmeier" <[EMAIL PROTECTED]> Cc: "Mario Antonio" <[EMAIL PROTECTED]>; <[email protected]> Sent: Tuesday, March 15, 2005 3:28 PM Subject: Re: ICMP Issues FreeBSD > On Tue, 15 Mar 2005, Andre Albsmeier wrote: > > > On Mon, 14-Mar-2005 at 18:01:33 -0500, Mario Antonio wrote: > >> I am running IPF v3.4.35 in FreeBSD 4.11-RELEASE > >> For the last years I have been running IPF without any problem, but last > >> week after upgrading three machines from FreeBSD > >> 4.9-RELEASE to 4.11-RELEASE, I have been having some issues. > >> > >> First I needed to recompile the kernel with IPv6 support for IPF to work > >> (Ok, I took care of that) > >> > >> > >> One of the problems I am having is that I cannot make the machine pingable. > >> The problem is in the outbound rules since when I > >> flush them (ipf -Fo), the machine becomes pingable. > >> the weird thing is not even ICMP logs are recorded > >> > >> This is the only set of rules for outbound: > >> > >> ============================================================================ > >> ======= > >> block out log quick on fxp0 all head 30 > >> # Internet Outbound > >> pass out quick on fxp0 proto tcp from any to any keep state keep frags group > >> 30 > >> pass out quick on fxp0 proto udp from any to any keep state keep frags group > >> 30 > >> pass out quick on fxp0 proto icmp from any to any keep state keep frags > >> group 30 > >> ============================================================================ > >> ======== > >> > >> I have also tried the following rule, and the result is the same: > >> pass out quick on fxp0 all keep state keep frags > >> > >> > >> > >> Someone already posted an email in this mailing list on 2004-08-15 17:48:24 > >> saying that :"Everything worked before 3.4.35 was MFC'ed to FreeBSD > >> 4.10-STABLE" > > > > That was me :-) > > > >> > >> Am I missing something? > > > > The patch in > > > > http://lists.freebsd.org/pipermail/freebsd-net/2004-November/005577.html > > > > fixes _my_ problem w.r.t. returning ICMP packets. Maybe it fixes yours > > as well, maybe it kills your machine :-). > > Should that go in the 4.11 errata page perhaps? Is ipfilter on it's way > out of FreeBSD in favor of pf? Just need to get a handle on this going > forward, as I've got a ton of hosts running ipf that are getting the 4.11 > upgrade very soon. > > Anyhow, I was able to get my icmp back by reordering where my "quick" icmp > rules fell... For whatever that's worth. > > Charles > > > -Andre > > > > -- > > Windows NT Multitasking: Messing up several things at once. > > > --- > [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System] > > --- [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]
