[The following has already been posted on [EMAIL PROTECTED] I've just
now learned that a pf-specific mailing list exists and I thought maybe
here is the better forum for my question]
Consider the following setup (OpenBSD 4.0-current):
Win PC ----> (vlan1) [OpenSD FW] (vlan0) ----> Host
1. With the following pf ruleset:
set skip on { lo0 }
scrub all fragment reassemble
block drop all
A ping command on the Windows PC towards the Host (172.23.1.21) gives
the following (expected) result:
-----------------------------------------------------
Pinging 172.23.1.21 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.23.1.21:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
-----------------------------------------------------
2. However, with the following ruleset:
set skip on { lo0 }
scrub all fragment reassemble
block drop all
pass in on vlan1 inet all flags S/SA keep state
Here is what I get:
-----------------------------------------------------
Pinging 172.23.1.21 with 32 bytes of data:
Reply from 172.23.66.1: Destination host unreachable.
Reply from 172.23.66.1: Destination host unreachable.
Reply from 172.23.66.1: Destination host unreachable.
Reply from 172.23.66.1: Destination host unreachable.
Ping statistics for 172.23.1.21:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
-----------------------------------------------------
As I understand it in #1 the echo-request packets are simply dropped
by the 'block drop all' for the vlan1 interface and nothing is
returned.
However, at #2 I expected the same behavior because although the
packets are "let through" on the vlan1 interface, the way I see it the
vlan0 interface matches the 'block drop all' rule and I simply assumed
that the echo-request packet would be dropped as well. However, I was
surprised to see ICMP host unreachable messages being sent back from
the OpenBSD firewall.
I'm really keen on finding out if it is possible or not to 'block drop
in' and not return ICMP unreacheables because I want to set up pf to
do some "NetScreen-style" policying (where policies are evaluated as
they travel from one "security zone" (i.e. commonly, an interface) to
another).
I want to use pf tags so that I can have something like:
block drop all
pass in on vlan1 inet all flags S/SA keep state tag FROM_DESIGNERS
pass out on vlan0 inet all flags S/SA keep state tagged FROM_DESIGNERS
block out on vlan2 inet tagged FROM_DESIGNERS
Which would enforce these two policies:
1. all traffic coming from vlan1 to vlan0 is allowed
2. all traffic coming from vlan1 to vlan2 is blocked silently
The way I see it I have to do my blocking on the outbound interface
(maybe this is totally the wrong way to do it and I'm just being an
idiot -- if this is the case, let me know!). But I want to do my
blocking on the outbound interface and have the packets silently
*dropped*, which I can't seem to be getting right now.
So I'm trying to figure out if silently blocking with 'block drop out'
is actually possible at all and I'm just a moron who can't get it
right, or if maybe, just maybe, it turns out that there's no way to
avoid ICMP unreacheables with 'block drop out'.
I'm hoping someone knows the answer to this and can set me straight. :-)
Thanks,
-Martin
