On Fri, Oct 13, 2006 at 02:10:08PM -0400, Martin Gignac wrote:
> 2. However, with the following ruleset:
>
> set skip on { lo0 }
> scrub all fragment reassemble
> block drop all
> pass in on vlan1 inet all flags S/SA keep state
>
> Here is what I get:
>
> -----------------------------------------------------
> Pinging 172.23.1.21 with 32 bytes of data:
>
> Reply from 172.23.66.1: Destination host unreachable.
> Reply from 172.23.66.1: Destination host unreachable.
> Reply from 172.23.66.1: Destination host unreachable.
> Reply from 172.23.66.1: Destination host unreachable.
These ICMP errors are not generated by pf, but by the TCP/IP stack.
You let the ping pass in. The stack tries to forward it. When it tries
to send the ping out through an interface, pf blocks it without
generating any packet itself. However, the function call to send out the
packet failed (the packet couldn't be sent out, pf prevented it), and
the stack reacts to that failure by issuing an ICMP error to the sender
of the ping, similar to how it would do if it had found no route to the
destination, or if you had unplugged the cable of the interface the
packets should be sent out through.
I don't think there's a sysctl to prevent the generation of ICMP errors
from the stack in this case (maybe net.inet.icmp.errppslimit=0 would
work), it's a feature of IP forwarding, not a bug ;)
Generally, you should try to block the packets as early as possible,
i.e. on the input path. With static routing, you should be able to
tell which packets will end up going out on what interface based on the
destination address...
Daniel
