On 1/13/2011 at 5:59 AM David Walker wrote: |Hi Mike. | |[snip] | |Second, and here we go into grey area, I'm no expert at the pf thing |and I do it slightly different to you. |However, I use a simple ruleset and don't explicitly allow ICMP ... |and yet it works from internal Windows and OpenBSD hosts. | |Here is the basics (in case there's a clue there): | |# options | |set block-policy return |set debug urgent |set loginterface pppoe0 |set optimization normal |set reassemble no |set require-order yes |set ruleset-optimization basic |set skip on lo |#set state-defaults |set state-policy if-bound |#set timeout | |# traffic normalization | |antispoof quick for lo inet |antispoof quick for vr1 inet |antispoof quick for vr2 inet | |# packet filtering | |block all | |# pppoe0:network | |match in log on pppoe0 | |pass out on pppoe0 inet from (pppoe0) to any |pass out on pppoe0 inet from vr1:network nat-to (pppoe0) |pass out on pppoe0 inet from vr2:network nat-to (pppoe0) | |#pass in on pppoe0 inet proto icmp from any to (pppoe0) icmp-type 8 code 0 | |# vr1:network | |pass in on vr1 inet from vr1:network to any |pass out on vr1 inet from vr1 to vr1:network |pass out on vr1 inet from vr2:network to vr1:network | |# vr2:network | |pass in on vr2 inet from vr2:network to any |pass out on vr2 inet from vr2 to vr2:network |pass out on vr2 inet from vr1:network to vr2:network | =============
When I use that ruleset (changing nothing except the interface names), traceroute using ICMP still does not work from the clients. Someone else suggested looking at the pflogd interface using tcpdump, to see why the packets may be dropped. That's my next avenue of approach. Thanks again.
