On Tue, Oct 14, 2003 at 03:57:56PM -0500, Jay Moore wrote: > I see frequent inbound icmp from and to ports 256, 512, 768 and 1024 (and > occasionally other ports). I've googled this, but got nothing useful. > What's this traffic all about anyway?
ICMP query/replies (like echo request and echo reply used by ping) create state entries per your rules. ICMP doesn't know ports like TCP and UDP, but queries have an ID field, which is used to associate replies with the queries they relate to. For instance, if you ping a host, the sender will pick a (random) ID for the echo requests, and the receiver will use the same ID in its echo replies. pf uses these IDs to match ICMP replies against ICMP state entries, in the same way as the ping process on the sender will do to calculate the round-trip time (imagine several ping processes pinging the same destination concurrently). Since there is no port information in ICMP state entries, and the ICMP ID has the same size as TCP/UDP ports, the ID is stored in the same place in the state entries. pfctl -ss and pftop show these IDs instead of the port for ICMP state entries, which is not particularly interesting to watch, but can help with debugging in certain cases (if you tcpdump ICMP packets, you see the same ID in hex). Since the ID is chosen randomly, it wouldn't make much sense to allow filtering based on it as criteria, so you can just watch the IDs. If you see more IDs like 256, 512, etc. (powers of 2), that means the sender is not generating them randomly, I guess. Daniel
