On Fri, Oct 12, 2012 at 9:42 PM, Patrick Lamaiziere <[email protected]> wrote: > Hello,
Hi Patrick, > > As far I can see, PF replies with an icmp unreachable if a packet is > droped in output, even if the block policy is "drop". Which is not the > intented behavior. > I've tested with a simple lab: PC_1 (10.0.12.1) <===> (em0) FW (em1)<===> PC_2 (10.0.23.3) and this 3 lines rule set: set block-policy drop block all pass proto tcp from em0:network to em1:network Then I've try to ssh from PC_2 to PC_1, and all traffic are drop (no ICMP generated): Tested on -current, 8.2-RELEASE-p6, and 9.1-RC2. Then I've tried with your rule set adapted to my lab: block log (all) pass in quick to 10.0.23.3 no state block drop out quick on em1 to 10.0.23.3 pass out quick pass in quick inet And I've try to ssh from PC_1 to PC_2, and all traffic are drop (no ICMP generated) too. One remark: I'm using pf as module (not compiled in kernel). Regards, Olivier _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
