Hi,
those ICMP teardown attacks affect TCP sessions only. The 'keep state
> (sloppy)'
> relaxes stateful check for icmp, icmp6 only. For TCP pf still performs
> strict stateful check.
>
>
Hmm, just to be clear: the original problem was with TCP - rsync’ing RPKI
ROAs from rpki.ripe.net. I just then turned to ping to debug.
So I do need a fix for TCP/UDP as well as just ICMP.
while gw1 must have pair of states to forward ICMP reply back
> to gw2. pfsync delivers just single state from gw2. The state
> allows inbound ICMP reply only. And there is no state which
> allows outbound ICMP reply at gw1. And there are two possible
> workarounds:
> either use 'keep state (sloppy)' at gw1
> or go with 'no state'
> both option will allow outbound icmp replies to leave gw1.
This does explain why when I comment the ‘block all’, it works.
Though surely when I tried ‘pass out all’ or ‘pass out vlan409’, it should
have allowed it, which it did not.
It’s also worth noting, that this only affects traffic on the host itself,
from gw2’s loopback address. If I ping it from a machine on a VLAN behind
the gateways, it works fine - I think because the reply does not need to
traverse the linknet back to gw2, because the destination is on-net for gw1
when the reply comes in, so it’s transmitted on the correct VLAN interface.
Though, it doesn’t explain why it’s allowed to pass on that interface and
not the linknet (vlan409/209).
The thing I don’t get about the going stateless thing, all be it without
actually trying it yet, is how to allow replies through without state(like
allowing established, related on Linux).
Thanks,
Ian
