Hello,
I think there is a bug in redirecting ICMP echo requests in the current pf.
I have an OpenBSD firewall currently allowing pings. In that
configuration, the firewall itself responds to the pings and everything
works as expected.
If I decide to redirect that ping via binat or rdr, the first ping will fail
and subsequent pings will succeed. Amazingly, it doesn't matter where I
redirect the ping to, it could be to the same public IP address the packet
would have gone to anyway, it could be the "inside" interface of the
firewall itself, or it could be a host within my LAN (osx and windows xp
hosts).
The other interesting thing is that tcpdump (both on OpenBSD and the
receiving host) show the first ping packet, but simply refuse to reply to
it. I can only assume that when I redirect to an IP address on the OpenBSD
machine, the packet "reaches" the machine logically after firewalling also.
Yet another interesting test, I tried pinging from a well known public cisco
bgp route server. Apparently cisco increments what pf considers the port
number of icmp "connections" with each ping it sends. The result of this
was that none of the pings were replied to (yet again tcpdump shows they all
made it to the host).
I can only assume that the first ping packet (first packet defined as the
packet that generates the state) isn't quite translated right by pf.
I've simplified my rules to these for testing purposes... I do have multiple
public addresses and have tested binat, which fails in the exact same way as
doing it with rdr.
Please let me know how I can assist more on this.
a.a.a.a is my public IP, b.b.b.b is the outside server I'm testing from.
# pfctl -sa
TRANSLATION RULES:
nat on sis0 inet from 192.168.2.0/24 to any -> a.a.a.a
rdr on sis0 inet proto icmp from any to a.a.a.a -> 192.168.2.50
# the destination IP address in the above rdr rule can be modified to
*anything* (that will respond). No matter what host I pick, the first ping
fails and the rest succeed, including IP addresses of the OpenBSD machine
itself.
FILTER RULES:
scrub on sis0 all fragment reassemble
block return on sis0 all
pass out on sis0 inet all flags S/SA keep state queue(q_nontcp,
q_nontcp_pri)
pass out on sis0 inet proto tcp all flags S/SA keep state queue(q_def,
q_pri)
pass in on sis0 inet proto icmp all icmp-type echoreq keep state
queue(q_bulk, q_bulk_pri)
block drop in on ! sis1 inet from 192.168.2.0/24 to any
block drop in inet from 192.168.2.254 to any
ALTQ:
queue q_bulk on sis0 priority 2
queue q_bulk_pri on sis0 priority 3
queue q_def on sis0 priority 4 priq( default )
queue q_pri on sis0 priority 5
queue q_nontcp on sis0 priority 6
queue q_nontcp_pri on sis0 priority 7
(mac prompt)$ sudo tcpdump -pnlvv icmp
Password:
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 96
bytes
22:56:51.920768 IP (tos 0x20, ttl 49, id 37291, offset 0, flags [none],
proto: ICMP (1), length: 84) b.b.b.b > 192.168.2.50: ICMP echo request, id
52631, seq 0, length 64
22:56:52.927812 IP (tos 0x20, ttl 49, id 37313, offset 0, flags [none],
proto: ICMP (1), length: 84)
b.b.b.b > 192.168.2.50: ICMP echo request, id 52631, seq 1, length 64
22:56:52.927839 IP (tos 0x20, ttl 64, id 10009, offset 0, flags [none],
proto: ICMP (1), length: 84, bad cksum 0 (->c802)!) 192.168.2.50 >
b.b.b.b: ICMP
echo reply, id 52631, seq 1, length 64
22:56:53.937344 IP (tos 0x20, ttl 49, id 37329, offset 0, flags [none],
proto: ICMP (1), length: 84) b.b.b.b > 192.168.2.50: ICMP echo request, id
52631, seq 2, length 64
22:56:53.937367 IP (tos 0x20, ttl 64, id 10011, offset 0, flags [none],
proto: ICMP (1), length: 84, bad cksum 0 (->c800)!) 192.168.2.50 >
b.b.b.b: ICMP
echo reply, id 52631, seq 2, length 64
OpenBSD 4.1-current (GENERIC) #315: Mon Jul 2 13:24:20 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by National Semi ("Geode by NSC"
586-class) 267 MHz
cpu0: FPU,TSC,MSR,CX8,CMOV,MMX
cpu0: TSC disabled
real mem = 133787648 (127MB)
avail mem = 121815040 (116MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/50/29, BIOS32 rev. 0 @ 0xf7840
pcibios0 at bios0: rev 2.0 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0x9000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Cyrix GXm PCI" rev 0x00
sis0 at pci0 dev 6 function 0 "NS DP83815 10/100" rev 0x00, DP83816A: irq
10, address 00:00:24:c2:c0:04
nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci0 dev 7 function 0 "NS DP83815 10/100" rev 0x00, DP83816A: irq
10, address 00:00:24:c2:c0:05
nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
sis2 at pci0 dev 8 function 0 "NS DP83815 10/100" rev 0x00, DP83816A: irq
10, address 00:00:24:c2:c0:06
nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
gscpcib0 at pci0 dev 18 function 0 "NS SC1100 ISA" rev 0x00
gpio0 at gscpcib0: 64 pins
"NS SC1100 SMI" rev 0x00 at pci0 dev 18 function 1 not configured
pciide0 at pci0 dev 18 function 2 "NS SCx200 IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <WDC WD400UE-00HCT0>
wd0: 16-sector PIO, LBA, 38154MB, 78140160 sectors
wd1 at pciide0 channel 0 drive 1: <SanDisk SDCFH-512>
wd1: 1-sector PIO, LBA, 488MB, 1000944 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
wd1(pciide0:0:1): using PIO mode 4, DMA mode 2
geodesc0 at pci0 dev 18 function 5 "NS SC1100 X-Bus" rev 0x00: iid 6
revision 3 wdstatus 0
ohci0 at pci0 dev 19 function 0 "Compaq USB OpenHost" rev 0x08: irq 11,
version 1.0, legacy support
isa0 at gscpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
gscsio0 at isa0 port 0x15c/2: SC1100 SIO rev 1:
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
usb0 at ohci0: USB revision 1.0
uhub0 at usb0: Compaq OHCI root hub, rev 1.00/1.00, addr 1
biomask fbe5 netmask ffe5 ttymask ffe7
pctr: no performance counters in CPU
dkcsum: wd0 matches BIOS drive 0x80
dkcsum: wd1 matches BIOS drive 0x81
root on wd0a swap on wd0b dump on wd0b
