On Thu, 30 Sep 2004 07:58:28 -0700 (PDT), Hisashi T Fujinaka
<htodd@twofifty.com> wrote:
> On Wed, 29 Sep 2004, Hisashi T Fujinaka wrote:
> 
> ... (unable to ping external interface starting a month or so ago) ...
> 
> Not working:
> 
> > pass out log level local1.info on le0 proto icmp from any to any keep state
> > pass in log level local1.info quick on le0 proto icmp from any to 192.168.1.18/32

[...snip...]
 
> So the question remains, what changed? The first rule used to work.

Maybe there was a bug in the earlier version of IPF? The first rules
say you'll accept incoming ICMP packets and allow (and remember state)
for outgoing ICMP packets.

The question is should KEEP STATE rules only match packets that are
setting up state? In your case, an ICMP echo request is clearly
allowed in. The outgoing reply, however, is now getting blocked
whereas before it was passed. Was it a bug that the echo reply (which
shouldn't set up any remembered state since it's the final reply) was
getting accepted by the KEEP STATE rule?

I'm in the process of learning the IPF interface, so I offer this
explanation to start some discussion. Also, this symptom seems to have
been submitted as a PR, so you should also monitor PR#26856 to see how
it gets resolved.

-- 
Rich

AIM : rnezzy
ICQ : 174908475