Subject: ICMP acting weird in ipf 4.1.3? (netbsd-2.0_RC1)
To: NetBSD Current Users <>
From: Jeff Rizzo <>
List: current-users
Date: 09/29/2004 08:24:58
I just upgraded my kernel from a circa-July 2.0_BETA to 2.0_RC1 
(userland, too), and discovered I could no longer ping myself from 
outside, despite the following rule near the top of my ipf.conf:

pass in quick proto icmp from any to any

A little more searching revealed this line near the bottom of my file:

pass out quick on tlp1 proto icmp from any to any keep state keep frags I enabled logging on both of those lines to help me figure out 
more about what was going on, and saw lines like this from ipmon for 
each packet:

Sep 29 08:08:03 boogers ipmon[19119]: 08:08:02.643999 tlp1 @0:2 p[] ->[] PR icmp len 20 84 
icmp echo/0 IN
Sep 29 08:08:03 boogers ipmon[19119]: 08:08:02.644070 tlp1 @0:3 b[] ->[] PR icmp len 20 84 icmp echoreply/0 

so, clearly, the reply packets are being blocked by the outgoing "keep 
state" rule, and sure enough, when I comment that rule out, I can ping 
my machine from outside again.  Strangely enough, pinging from _inside_ 
works whether or not the rule is in place.  (as I expect it should)

My question is:  this obviously changed between ipf 4.1.1 and 4.1.3 (at 
least as realized in 2.0_BETA/RC1, though I chatted with someone on IRC 
who is having a similar issue).  Is this the way it's supposed to work, 
or is something actually broken?  (I suspect the latter)