Hi,
On Mon, 2 May 2022 at 21:28, Alexandr Nedvedicky <
[email protected]> wrote:
> > is there a pfsync(4) configured between gw2 and gw1?
Yes!
ICMP reply arrives to gw1. It enters pf(4) as inbound packet.
> inbound ICMP reply is allowed by state. pf(4) accepts packet.
> packet enters IP stack at gw1, which forwards the packet towards
> destination.
>
> when packet reaches outbound NIC at gw1 it is intercepted
> by pf again as outbound ICMP reply. There is no state, which
> allows outbound ICMP reply. pf checks rules for ICMP reply:
> pass quick {icmp, icmp6} all
> rule does not match, because implicit 'keep state', is not
> allowed to create state for icmp replies.
but surely that should match the same state entry [that allowed it to
ingress]??
On a separate, but related note. I’m clearly missing some fundamental
understanding of stateful firewalls, but when there is a rule saying “allow
all ICMP”, then surely all ICMP should then be allowed, regardless of state?
Thanks,
Ian
