I'm trying to use the nifty pf feature of matching ICMP replies to the state table in order to keep my ruleset for ICMP as small as possible. The relevant rules in my pf.conf are below. Tcpdump output from pflog shows several ICMP packets being filtered by these rules, namely:
- type 11 time exceeded
- type 3 destination unreachable coming back from an intermediate router (i.e. not the destination machine)
So I would assume that "keep state" only works for ICMP replies coming from one of the two machines directly involved in the connection. This makes perfect sense if pf does not inspect the ICMP content to determine whether it's part of an established connection. I assume this is a known issue/expected behaviour? Is the recommended way of dealing with this a set of extra rules to handle this kind of traffic?
And while I'm at it, is there anywhere I can see which types of ICMP are *not* let back in even if they match a state (I assume that type 5 redirect at least is always filtered unless there is an explicit rule)?
Thanks for your time, my rules follow below,
Marc
pass in on $public all keep state pass out on $public all keep state
pass in quick on $public inet proto icmp \
from any to <mynet> \
icmp-type 8 keep state
pass in quick on $public inet proto icmp \
from $router to <mynet> \
icmp-type 9 keep state
block in quick log on $public inet proto icmp \
from any to <mynet>pass out quick on $public inet proto icmp \
from <mynet> to any \
icmp-type 8 keep state
block out quick log on $public inet proto icmp \
from <mynet> to any