On Wed, 29 Sep 2004, Jeff Rizzo wrote:

> I just upgraded my kernel from a circa-July 2.0_BETA to 2.0_RC1 (userland, 
> too), and discovered I could no longer ping myself from outside, despite the 
> following rule near the top of my ipf.conf:
>
> pass in quick proto icmp from any to any
>
> A little more searching revealed this line near the bottom of my file:
>
> pass out quick on tlp1 proto icmp from any to any keep state keep frags
>
> ....so I enabled logging on both of those lines to help me figure out more 
> about what was going on, and saw lines like this from ipmon for each packet:
>
> Sep 29 08:08:03 boogers ipmon[19119]: 08:08:02.643999 tlp1 @0:2 p 
> lychee.tastylime.net[199.233.217.35] -> 
> adsl-66-124-71-68.dsl.sntc01.pacbell.net[66.124.71.68] PR icmp len 20 84 icmp 
> echo/0 IN
> Sep 29 08:08:03 boogers ipmon[19119]: 08:08:02.644070 tlp1 @0:3 b 
> adsl-66-124-71-68.dsl.sntc01.pacbell.net[66.124.71.68] -> 
> lychee.tastylime.net[199.233.217.35] PR icmp len 20 84 icmp echoreply/0 K-S 
> K-F OUT
>
>
> so, clearly, the reply packets are being blocked by the outgoing "keep state" 
> rule, and sure enough, when I comment that rule out, I can ping my machine 
> from outside again.  Strangely enough, pinging from _inside_ works whether or 
> not the rule is in place.  (as I expect it should)
>
> My question is:  this obviously changed between ipf 4.1.1 and 4.1.3 (at least 
> as realized in 2.0_BETA/RC1, though I chatted with someone on IRC who is 
> having a similar issue).  Is this the way it's supposed to work, or is 
> something actually broken?  (I suspect the latter)

OK, here's what I found. I use current, and rebuild one of my machines
every day. (Yeah, I need a life.) I rebuild my firewall machine every
2-3 weeks, and it's a SPARCclassic running netbsd current as well. The
rules I used to have (with the ip addresses changed) were:

pass out log level local1.info on le0 proto icmp from any to any keep state
pass in log level local1.info quick on le0 proto icmp from any to 192.168.1.18/32

This used to work and quit at some point.

Now for testing, a different SPARC 5 running current as of 9/28. ipmon
shows:

Sep 29 21:02:25 anna ipmon[150]: 21:02:24.753722 le0 @0:65 p lesleyanne.i8u.org[192.168.1.17] -> anna.i8u.org[192.168.1.18] PR icmp len 20 84 icmp echo/0 IN
Sep 29 21:02:25 anna ipmon[150]: 21:02:24.754005 le0 @0:45 b anna.i8u.org[192.168.1.18] -> lesleyanne.i8u.org[192.168.1.17] PR icmp len 20 84 icmp echoreply/0 K-S OUT

I experimented and commented out the "keep state" and now I can ping the
outside interface from outside.

Now I see:

Sep 29 21:07:58 anna ipmon[730]: 21:07:58.280328 le0 @0:65 p lesleyanne.i8u.org[192.168.1.17] -> anna.i8u.org[192.168.1.18] PR icmp len 20 84 icmp echo/0 IN
Sep 29 21:07:58 anna ipmon[730]: 21:07:58.280506 le0 @0:45 p anna.i8u.org[192.168.1.18] -> lesleyanne.i8u.org[192.168.1.17] PR icmp len 20 84 icmp echoreply/0 OUT

This also seems to work with my gateway box.

OK, so what changed?

-- 
Hisashi T Fujinaka - htodd@twofifty.com
BSEE(6/86) + BSChem(3/95) + BAEnglish(8/95) + MSCS(8/03) + $2.50 = latte