Hi
I move from 4.6 to 4.7, rewrite my pf.conf rules to match new style.
Everything works fine, but when I try to traceroute a host with -I flag
(force to use icmp) on my obsd fw
I got Request time out on all hops exclude the last one, which I was my
target to traceroute. Here is an example:
[ns]~$ traceroute -I data.bg
traceroute to data.bg (195.149.248.130), 64 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 web.data.bg (195.149.248.130) 0.740 ms 0.707 ms 0.733 ms
As you can see only the last hop is present.
Example without -I flag (using udp);
[ns]~$ traceroute data.bg
traceroute to data.bg (195.149.248.130), 64 hops max, 40 byte packets
1 gw.tbc.bg (94.26.7.33) 0.591 ms 0.462 ms 0.443 ms
2 peer.tbc.bg (94.26.50.2) 0.961 ms 1.317 ms 1.965 ms
3 85.91.141.65 (85.91.141.65) 0.866 ms 0.905 ms 1.93 ms
4 web.data.bg (195.149.248.130) 0.847 ms 0.732 ms 0.712 ms
When I use 'tracert host' on MS Windows box behind my obsd fw, I got a same
behavior
C:\Users\Administratortracert data.bg
Tracing route to data.bg [195.149.248.130]
over a maximum of 30 hops:
11 ms1 ms1 ms ns.bsdbg.net [192.168.1.1]
2 *** Request timed out.
3 *** Request timed out.
4 *** Request timed out.
51 ms 1 ms 1 ms web.data.bg [195.149.248.130]
Trace complete.
Here first hop is my obsd fw. I use tcpdump to see what actually happens:
[ns]~# tcpdump -nettti pflog0 host vlado and icmp
tcpdump: listening on pflog0, link-type PFLOG
Aug 19 02:29:32.165656 rule 85/(match) pass in on em1: 192.168.1.2
195.149.248.130: icmp: echo request [ttl 1]
Aug 19 02:29:33.168104 rule 120/(match) pass out on em0: 192.168.1.2
195.149.248.130: icmp: echo request [ttl 1]
Aug 19 02:29:33.168117 rule 17/(match) match out on em0: 192.168.1.2
195.149.248.130: icmp: echo request [ttl 1]
Aug 19 02:29:33.168128 rule 16/(match) match out on em0: 192.168.1.2
195.149.248.130: icmp: echo request [ttl 1]
Aug 19 02:29:33.168593 rule 120/(match) pass in on em0: 94.26.7.33
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:33.168613 rule 14/(match) block out on em1: 94.26.7.33
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:36.960715 rule 120/(match) pass in on em0: 94.26.7.33
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:40.960831 rule 120/(match) pass in on em0: 94.26.7.33
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:44.962196 rule 120/(match) pass in on em0: 94.26.50.2
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:48.961438 rule 120/(match) pass in on em0: 94.26.50.2
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:52.961678 rule 120/(match) pass in on em0: 94.26.50.2
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:56.960795 rule 120/(match) pass in on em0: 85.91.141.65
192.168.1.2: icmp: time exceeded in-transit
Aug 19 02:30:00.960785 rule 120/(match) pass in on em0: 85.91.141.65
192.168.1.2: icmp: time exceeded in-transit
Aug 19 02:30:05.002249 rule 120/(match) pass in on em0: 85.91.141.65
192.168.1.2: icmp: time exceeded in-transit
Aug 19 02:30:08.960640 rule 120/(match) pass in on em0: 195.149.248.130
192.168.1.2: icmp: echo reply
Aug 19 02:30:08.961639 rule 120/(match) pass in on em0: 195.149.248.130
192.168.1.2: icmp: echo reply
Aug 19 02:30:08.962888 rule 120/(match) pass in on em0: 195.149.248.130
192.168.1.2: icmp: echo reply
When I turn off pf (pfctl -d) 'traceroute -I' work as it should.
I really don't know what happen.
Thanks in advance,
Atanas
Here is my pf.conf
##
pf.conf
##
Macros ##
### Interfaces ###
ExtIf =em0
IntIf =em1
### Hosts ###
vl=192.168.1.2
jl=192.168.1.3
ve=192.168.1.4
ntp=192.168.1.5
### Queues, States and Types ###
IcmpType =icmp-type 8 code 0
SynState =flags S/SAFR synproxy state
TcpState =flags S/SAFR modulate state
UdpState =keep state
### Ports ###
# Squid
squid=2020
# Remote Desktop Connection
rdc_int=3389
rdc_ext=4000
# Skype
vl_skype=30001
jl_skype=30002
ve_skype=30003
# uTorrent
vl_torrent=30004
jl_torrent=30005
ve_torrent=30006
urange=30004:30006
# HFS
vl_hfs=8080
# VsFTP
ftprange=55000:6
FtpPort =8021
# Symux
symux=2100
# Battle.net
bnet=6112
# Ssh
ssh_ext=443
### Stateful Tracking Options (STO) ###
ExtIfSTO =(max 9000, source-track rule, max-src-conn 2000, max-src-nodes
254)
IntIfSTO =(max 250, source-track rule, max-src-conn 100, max-src-nodes
254, max-src-conn-rate 75/20)
PostfxSTO =(max 100, source-track rule, max-src-states 5,
max-src-nodes 30, max-src-conn-rate 10/300, overload BLACKLIST flush
global, tcp.established 45)
SpamdSTO =(max 500, source-track rule, max-src-conn 10, max-src-nodes
300, max-src-conn-rate 2/300, tcp.established 10)
SshSTO=(max 10, source-track rule, max-src-conn 10, max-src-nodes