>Synopsis: pf.conf(5) rules: antispoof & pass in lo0
>Category: system
>Environment:
System : OpenBSD 5.2
Details : OpenBSD 5.2 (GENERIC) #278: Wed Aug 1 10:04:16 MDT 2012
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
Architecture: OpenBSD.i386
Machine : i386
vge0 at pci1 dev 0 function 0 "VIA VT612x" rev 0x82: apic 4 int 0,
address 00:1f:f2:07:12:01
ipgphy0 at vge0 phy 22: IP1001 10/100/1000 PHY, rev. 0
>Description:
pf.conf rule:
antispoof for egress inet
produces:
block drop in on ! egress inet from 128.164.219.0/25 to any
block drop in inet from 128.164.219.9 to any set ( prio 0 )
On the host, No route to host after the first response,
# ping 128.164.219.9
PING 128.164.219.9 (128.164.219.9): 56 data bytes
64 bytes from 128.164.219.9: icmp_seq=0 ttl=255 time=0.094 ms
ping: sendto: No route to host
ping: wrote 128.164.219.9 64 chars, ret=-1
Remove the rule, ping works fine.
If it matters, the egress is,
vge0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500
lladdr 00:1f:f2:07:12:01
description: Vlan 70
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 128.164.219.9 netmask 0xffffff80 broadcast 128.164.219.127
The same thing happens on lo0, not with antispoof but with pass in,
pf.conf rule:
pass in quick on lo0 all
produces:
pass in quick on lo0 all flags S/SA
On the host,
# ping localhost
PING localhost.seas.gwu.edu (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.082 ms
ping: sendto: No route to host
ping: wrote localhost.seas.gwu.edu 64 chars, ret=-1
Remove the rule, ping works fine.
