Re: ICMP Issues FreeBSD

[Charles Sprickman]

On Tue, 15 Mar 2005, Mario Antonio wrote:
Charles,
By any  chance, can I get of copy of your working icmp rules?
The rules remained the same:
pass in quick on fxp0 proto icmp from any to any icmp-type 0
pass in quick on fxp0 proto icmp from any to any icmp-type 8
pass in quick on fxp0 proto icmp from any to any icmp-type 11
block in log quick on fxp0 proto icmp from any to any
However I had to stick this below a stack of "quick" rules that permitted 
everything between a number of "safe" hosts where previously it worked 
above them...

Charles
----- Original Message -----
From: "Charles Sprickman" <[EMAIL PROTECTED]>
To: "Andre Albsmeier" <[EMAIL PROTECTED]>
Cc: "Mario Antonio" <[EMAIL PROTECTED]>; <ipfilter@coombs.anu.edu.au>
Sent: Tuesday, March 15, 2005 3:28 PM
Subject: Re: ICMP Issues FreeBSD

On Tue, 15 Mar 2005, Andre Albsmeier wrote:
On Mon, 14-Mar-2005 at 18:01:33 -0500, Mario Antonio wrote:
I am running IPF v3.4.35 in FreeBSD 4.11-RELEASE
For the last years I have been running IPF without any problem, but
last
week after upgrading three machines from FreeBSD
4.9-RELEASE to 4.11-RELEASE, I have been having some issues.
First I needed to recompile the kernel with IPv6 support for IPF to
work
(Ok, I took care of that)
One of the problems I am having is that I cannot make the machine
pingable.
The problem is in the outbound rules since when I
flush them (ipf -Fo), the machine becomes pingable.
the weird thing is not even ICMP logs are recorded
This is the only  set of rules for outbound:

============================================================================
=======
block out log  quick on fxp0 all   head 30
# Internet Outbound
pass out quick on fxp0 proto tcp from any to any keep state keep frags
group
30
pass out quick on fxp0 proto udp from any to any keep state keep frags
group
30
pass out quick on fxp0 proto icmp from any to any keep state keep frags
group 30
============================================================================
========
I have also tried the following rule, and the result is the same:
pass out  quick on fxp0 all keep state keep frags

Someone already posted an email in this mailing list on  2004-08-15
17:48:24
saying that :"Everything worked before 3.4.35 was MFC'ed to FreeBSD
4.10-STABLE"
That was me :-)
Am I missing something?
The patch in
http://lists.freebsd.org/pipermail/freebsd-net/2004-November/005577.html
fixes _my_ problem w.r.t. returning ICMP packets. Maybe it fixes yours
as well, maybe it kills your machine :-).
Should that go in the 4.11 errata page perhaps?  Is ipfilter on it's way
out of FreeBSD in favor of pf?  Just need to get a handle on this going
forward, as I've got a ton of hosts running ipf that are getting the 4.11
upgrade very soon.
Anyhow, I was able to get my icmp back by reordering where my "quick" icmp
rules fell...  For whatever that's worth.
Charles
-Andre
--
Windows NT Multitasking: Messing up several things at once.
---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection
System]

---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]