Hello,
On Mon, May 02, 2022 at 11:08:49PM +0100, Ian Chilton wrote:
> Hi,
>
> those ICMP teardown attacks affect TCP sessions only. The 'keep state
> > (sloppy)'
> > relaxes stateful check for icmp, icmp6 only. For TCP pf still performs
> > strict stateful check.
> >
> >
> Hmm, just to be clear: the original problem was with TCP - rsync’ing RPKI
> ROAs from rpki.ripe.net. I just then turned to ping to debug.
>
> So I do need a fix for TCP/UDP as well as just ICMP.
>
this is the relevant portion of your rules you've shared in your
first email:
block all
pass out quick on linknet from (self)
pass out quick on { admin, external, linknet } proto { tcp, udp }
pass quick proto { icmp, icmp6 }
from gw2 point of view it makes sense, because we block everything inbound by
'block all' rule. Outbound TCP/UDP sessions are allowed. The first outbound
packet creates state, which allows reply to come back. such state is also
transmitted by pfsync to gw1.
let's turn our attention to gw1, which is seeing a reply to request packet
sent by gw2. There is a state on gw1 which allows inbound reply. The inbound
reply gets forwarded and is abound to leave gw1 as outbound packet.
there is no state which matches outbound reply at gw1. unless oubtound interface
towards gw2 is in admin/external/linknet group, the outbound icmp reply packet
will match the block all rule on gw1.
regards
sasha
