Specifically, here is the problem:
With the first set of rules loaded,
ns2.et> ipf -Fa -f ipf.conf
ns2.et> ipfstat -hi | grep icmp ; ipfstat -ho | head -4
0 pass in quick proto icmp from any to any
0 pass out quick on lo0 all
0 pass out quick all keep state
0 block out log all
[EMAIL PROTECTED] (138) [~]> ping ns2.et
PING ns2.et (192.168.1.2) 56(84) bytes of data.
--- ns2.et ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7000ms
ns2.et> ipfstat -hi | grep icmp ; ipfstat -ho | head -4
8 pass in quick proto icmp from any to any
0 pass out quick on lo0 all
8 pass out quick all keep state
0 block out log all
Why don't the icmp replies ever make it out? I run a snoop on ns2.et,
and I only see ICMP requests, no replies.
Flushing the rules, or tweaking the rule set fixes this, but it worked
in 3.4.31 before.
Erik Huizing wrote:
Hello,
I'm planning to upgrade some of our servers to 4.1.8, and while
testing, found that icmp doesn't work with our current rule set. We've
got
# start of file
# outbound connections
pass out quick all keep state
# allow ping
pass in quick proto icmp all
# rest of file is port and IP-based ACLS
I found switching to this, worked
# allow ping
pass out quick proto icmp all
pass in quick proto icmp all
# outbound connections
pass out quick all keep state
Did something change between ipf 3.4.31 to 4.1.8 that would cause this
behaviour?
Am I correct in guessing I'll have to tweak the rule sets as I roll
out the upgrade?
--
Erik Huizing
Regional Services
(403)-781-4906
