netbsd 5 beta problem with pf and icmp-type

To: current-users%netbsd.org@localhost, tech-net%netbsd.org@localhost
Subject: netbsd 5 beta problem with pf and icmp-type
From: Daniel Schossig <daniel%schossig.net@localhost>
Date: Sun, 21 Dec 2008 17:14:05 +0100

Hi,

I'm running NetBSD 5 beta on my laptop, i updated it yesterday
(12/20/2008, cvs update -Pd and then running build.sh), I discovered a
strange behavior while playing around with pf. The following pf.conf on
NetBSD 4 did what it was supposed to do, blocking icmp timereq/timerep
but on NetBSD 5 it does not block icmp timereq/timerep.

pf.conf:
block in quick inet proto icmp all icmp-type timereq
block out quick inet proto icmp all icmp-type timerep
pass in
pass out

the output from pfctl -sr on NetBSD 4:
No ALTQ support in kernel
ALTQ related functions disabled
block drop in quick inet proto icmp all icmp-type timereq
block drop out quick inet proto icmp all icmp-type timerep
pass in all
pass out all

the output from pfctl -sr on NetBSD 5:
No ALTQ support in kernel
ALTQ related functions disabled
block drop in quick inet proto icmp all icmp-type timereq
block drop out quick inet proto icmp all icmp-type timerep
pass in all flags S/SA keep state
pass out all flags S/SA keep state

While scanning with nessus on both hosts nessus shows on NetBSD 4 no
message like "It is possible to determine the exact time set on the
remote host." but on NetBSD 5 it does.

Both machines are running NetBSD amd64. If you need further information
please CC me, I'm not subscribed to the mailling list yet.

greetings
Daniel Schossig

Prev by Date: Re: amd64 -current crashs at boot
Next by Date: Build failure - font files?
Previous by Thread: nfs vs nfsserver
Next by Thread: Build failure - font files?
Indexes:

Home | Main Index | Thread Index | Old Index