On 2022/05/02 18:11, Alexandr Nedvedicky wrote: > comment at line 3697, says we don't allow pf to create state > on behalf of icmp replies. This is a default behavior, which may > be changed by specifying 'keep state (sloppy)' (PFRULE_STATESLOPPY).
ooh, this is why I didn't spot the problem. I don't believe this is documented outside of the source code. > the sloppy option is described in pf.conf(5) manpage: > > sloppy > Uses a sloppy TCP connection tracker that does not check sequence > numbers at all, which makes insertion and ICMP teardown attacks way > easier. This is intended to be used in situations where one does > not see all packets of a connection, e.g. in asymmetric routing > situations. It cannot be used with modulate state or synproxy > state. > > it does not mention ICMP handling at all. However it says one may want > to use it when dealing with 'asymetric routing' situation. _at least_ it needs to be documented about the change in ICMP behaviour here, the manual makes me think that sloppy does nothing for non-TCP. (I try to avoid sloppy, I have had problems in the past with huge numbers of states for TCP connections stacking up which I can only attribute to this).
