(openbsd 5.1/amd64) Hello,
I filter icmp echoreq for one host, but on output. The rules are : pass in quick on $ext_if inet proto icmp from any to any icmp-type echoreq keep state (floating) block out quick on $int_if inet proto icmp from any to $host When I ping this $host from out, I see sometimes some unreacheable icmp replies coming from the firewall (the block policy is default: drop). tcpdump on $ext_if 94.23.254.147 > 195.220.94.163: icmp: echo request 193.51.184.25 > 94.23.254.147: icmp: host 195.220.94.163 unreachable 94.23.254.147 > 195.220.94.163: icmp: echo request 94.23.254.147 > 195.220.94.163: icmp: echo request 94.23.254.147 > 195.220.94.163: icmp: echo request ... 193.51.184.25 > 94.23.254.147: icmp: host 195.220.94.163 unreachable The good thing is that the echoreq packet is droped but I don't understand why the firewall sometimes replies an icmp unreachable? Thanks, regards.
