Hello Ian,
thanks for clarifying details.
On Mon, May 02, 2022 at 03:27:06PM +0100, Ian Chilton wrote:
> Hi Alexandr,
>
> Not quite, this is the corrected diagram:
>
> .--->-- rpki.ripe.net ---->--------.
> | |
> | |
> | |
> ^ echo request: V echo reply:
> | 172.16.0.91 -> 193.0.6.138 | 193.0.6.138 -> 172.16.0.91
> | |
> | vlan367 | vlan313
> ,------+-------. ,------+-------.
> | gw2 | vlan209 | gw1 |
> | 172.16.0.91 +-------------------+ 172.16.0.90 |
> | | | |
> | +-------------------+ |
> | | vlan409 | |
> `--------------' `--------------'
>
>
> > I would try to make state check less paranoid at gw1:
> > pass quick proto { icmp, icmp6 } keep state (sloppy)
>
> That does fix it!
>
> Would you mind explaining more about this?
>
this code comes from pf_match_rule(), which pf uses
to see whether packet matches the rule:
3686
3687 case IPPROTO_ICMP:
3688 case IPPROTO_ICMPV6:
3689 /* icmp only. type always 0 in other cases */
3690 PF_TEST_ATTRIB((r->type &&
3691 r->type != ctx->icmptype + 1),
3692 TAILQ_NEXT(r, entries));
3693 /* icmp only. type always 0 in other cases */
3694 PF_TEST_ATTRIB((r->code &&
3695 r->code != ctx->icmpcode + 1),
3696 TAILQ_NEXT(r, entries));
3697 /* icmp only. don't create states on replies */
3698 PF_TEST_ATTRIB((r->keep_state && !ctx->state_icmp
&&
3699 (r->rule_flag & PFRULE_STATESLOPPY) == 0 &&
3700 ctx->icmp_dir != PF_IN),
3701 TAILQ_NEXT(r, entries));
3702 break;
3703
comment at line 3697, says we don't allow pf to create state
on behalf of icmp replies. This is a default behavior, which may
be changed by specifying 'keep state (sloppy)' (PFRULE_STATESLOPPY).
the sloppy option is described in pf.conf(5) manpage:
sloppy
Uses a sloppy TCP connection tracker that does not check sequence
numbers at all, which makes insertion and ICMP teardown attacks way
easier. This is intended to be used in situations where one does
not see all packets of a connection, e.g. in asymmetric routing
situations. It cannot be used with modulate state or synproxy
state.
it does not mention ICMP handling at all. However it says one may want
to use it when dealing with 'asymetric routing' situation.
I believe claudio@ has advice for you based on some of his real life
experience.
I'm glad using 'sloppy' works for you.
regards
sashan
