pf: 'block drop' used, but ICMP unreachables returned anyway...

Thu, 12 Oct 2006 20:29:59 -0700 

Consider the following setup (OpenBSD 4.0-current):

Win PC ----> (vlan1) [OpenSD FW] (vlan0) ----> Host

1. With the following pf ruleset:

set skip on { lo0 }
scrub all fragment reassemble
block drop all

A ping command on the Windows PC towards the Host (172.23.1.21) gives
the following (expected) result:

-----------------------------------------------------
Pinging 172.23.1.21 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.23.1.21:
   Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
   Minimum = 0ms, Maximum =  0ms, Average =  0ms
-----------------------------------------------------

2. However, with the following ruleset:

set skip on { lo0 }
scrub all fragment reassemble
block drop all
pass in on vlan1 inet all flags S/SA keep state

Here is what I get:

-----------------------------------------------------
Pinging 172.23.1.21 with 32 bytes of data:

Reply from 172.23.66.1: Destination host unreachable.
Reply from 172.23.66.1: Destination host unreachable.
Reply from 172.23.66.1: Destination host unreachable.
Reply from 172.23.66.1: Destination host unreachable.

Ping statistics for 172.23.1.21:
   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
   Minimum = 0ms, Maximum =  0ms, Average =  0ms
-----------------------------------------------------

As I understand it in #1 the echo-request packets are simply dropped
by the 'block drop all' for the vlan1 interface and nothing is
returned.

However, at #2 I expected the same behavior because although the
packets are "let through" on the vlan1 interface, the way I see it the
vlan0 interface matches the 'block drop all' rule and I simply assumed
that the echo-request packet would be dropped as well. However, I was
surprised to see ICMP host unreachable messages being sent back from
the OpenBSD firewall.

What am I doing wrong? How can I keep putting the "blocking" step on
the "outbound" interface and yet *not* return any ICMP unreachable
packets when traffic is blocked?

Thanks,
-Martin

--
"Suburbia is where the developer bulldozes out the trees, then names
the streets after them."

                                                  --Bill Vaughan

Reply via email to