Re: [PF 5.1] strange unreachable icmp reply from firewall
I've been having the same problem for the past few days now and my research has turned up a few people experiencing the exact same thing that you are, across different versions of pf on different operating systems. A few references I found off hand: http://www.mail-archive.com/misc@openbsd.org/msg30646.html http://openbsd.7691.n7.nabble.com/PF-question-set-block-policy-drop-spoofed-ip-NAT-ed-elicits-icmp-unreachable-tt14709.html As well as a thread I started myself: http://forum.pfsense.org/index.php/topic,56558.msg302461.html None of the responses were too helpful though as far as I could find as in actually getting around this. -- View this message in context: http://openbsd.7691.n7.nabble.com/PF-5-1-strange-unreachable-icmp-reply-from-firewall-tp97656p220119.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
[PF 5.1] strange unreachable icmp reply from firewall
(openbsd 5.1/amd64) Hello, I filter icmp echoreq for one host, but on output. The rules are : pass in quick on $ext_if inet proto icmp from any to any icmp-type echoreq keep state (floating) block out quick on $int_if inet proto icmp from any to $host When I ping this $host from out, I see sometimes some unreacheable icmp replies coming from the firewall (the block policy is default: drop). tcpdump on $ext_if 94.23.254.147 > 195.220.94.163: icmp: echo request 193.51.184.25 > 94.23.254.147: icmp: host 195.220.94.163 unreachable 94.23.254.147 > 195.220.94.163: icmp: echo request 94.23.254.147 > 195.220.94.163: icmp: echo request 94.23.254.147 > 195.220.94.163: icmp: echo request ... 193.51.184.25 > 94.23.254.147: icmp: host 195.220.94.163 unreachable The good thing is that the echoreq packet is droped but I don't understand why the firewall sometimes replies an icmp unreachable? Thanks, regards.