I am having a odd problem and I am hoping someone one the list can point out my error, Here is my pf.conf, the keepstate on the icmp doesn't seem to be working, it won't pass the packets out. Ie I am on host 10.0.0.51, I ping 10.0.4.1(routing table entry is present for this net) and it won't ping it, but if I ping 10.0.0.1(fxp1) then it will allow the packet and let it return. I think it is something really simple that I am overlooking but I can't figure it out. Any help is appreciated.
#OpenBSD 3.3 #macros #interfaces eth0="fxp0" eth1="fxp1" eth2="fxp2" #lan segment ips lan1="10.0.0.0/24" lan2="10.0.1.0/24" loc="127.0.0.1/8" #ip's to block badip="0.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 172.31.0.0/16, 192.168.0.0/16, 224.0.0.0/3, 255.255.255.255/32" lanip="10.0.0.0/8" # Normalize: reassemble fragments and resolve or reduce traffic ambiguities scrub in all scrub out all # nat rules for both lan segments nat on $eth0 from $lan1 to any -> $eth0 nat on $eth0 from $lan2 to any -> $eth0 # rdr port mapping rules if needed # rdr on eth0 proto tcp from any to 192.168.1.1/32 port 1234 -> 10.1.1.1 port 5678 # filter rules #block all in-out block in log all block out log all block in on $eth0 inet proto {tcp, udp} from any to any port 136 >< 140 #allow for dchp pass in on $eth0 inet proto {tcp, udp} from any to $eth0 port 67 #allow outgoing traffic from Internet nic to internet if initiated from Internet Nic. pass out on $eth0 inet proto tcp from $eth0 to any modulate state pass out on $eth0 inet proto udp from $eth0 to any keep state pass out on $eth0 inet proto icmp from $eth0 to any icmp-type 8 code 0 keep state #allow nat for both lan segments only if lan segments initiate request. pass out on $eth0 inet proto tcp from $lan1 to any modulate state pass out on $eth0 inet proto udp from $lan1 to any keep state pass out on $eth0 inet proto icmp from $lan1 to any icmp-type 8 code 0 keep state pass out on $eth0 inet proto tcp from $lan2 to any modulate state pass out on $eth0 inet proto udp from $lan2 to any keep state pass out on $eth0 inet proto icmp from $lan2 to any icmp-type 8 code 0 keep state #allow requests from segment 1 to segment 2 or internet only if segment 1 requests it. pass in on $eth1 inet proto tcp from $lan1 to any modulate state pass in on $eth1 inet proto udp from $lan1 to any keep state pass in on $eth1 inet proto icmp from { $lan1, $loc } to any icmp-type 8 code 0 keep state #allow requests from segment 2 to segment 1 or internet only if segment 2 requests it. pass in on $eth2 inet proto tcp from $lan2 to any modulate state pass in on $eth2 inet proto udp from $lan2 to any keep state pass in on $eth2 inet proto icmp from { $lan1, $loc } to any icmp-type 8 code 0 keep state #denie requests Out to internet for bad ip's block out on $eth0 inet from any to { $badip, $lanip, $loc } block out on $eth1 inet from any to { $badip } block out on $eth2 inet from any to { $badip } Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you.