tech-net: confusing pf behaviour, block drop still returns messages?

Subject: confusing pf behaviour, block drop still returns messages?
To: None <tech-net@netbsd.org>
From: Nino Dehne <ndehne@gmail.com>
List: tech-net
Date: 04/12/2006 01:57:30

Hi,

consider the following setup

Internet <-> [pppoe0]gw-ext[sip1] <-> [sip2]gw[vlan1] <-> LAN

pppoe0: public address
sip1:   192.168.0.254/30
sip2:   192.168.0.253/30
vlan1:  192.168.1.254/24
a client in LAN: 192.168.1.1

gw-ext utilises a pf(4) ruleset that - among other things - blocks bogon
and RFC1918 networks on pppoe0 in both directions:

>>> pf.conf
[...]
set block-policy drop
[...]
# don't rewrite to/from <evil>, saves a state entry and gets squashed below
# in filter rules
no nat on $ext_if inet from any to <evil>
no rdr on $ext_if inet from <evil> to any
[...]
block in log quick on $ext_if inet from any to <evil>
block in log quick on $ext_if inet from <evil> to any
block return-icmp(13) out log quick on $ext_if inet from any to <evil>
block return-icmp(13) out log quick on $ext_if inet from <evil> to any
[...]
<<< pf.conf

The idea is to silently drop everything that originates outside our network
in order to not generate traffic to known invalid/bogus destinations,
but to be so kind and return an error for local networks to aid debugging.

However, when I tcpdump on interface vlan1 on host gw, I see two errors:

01:03:00.296138 IP 192.168.0.254 > 192.168.1.1: icmp 36: host 1.0.0.1 unreachable - admin prohibited filter
01:03:00.296352 IP 192.168.0.254 > 192.168.1.1: icmp 36: host 1.0.0.1 unreachable

The first is expected, the second isn't. The second message even persists
when I remove the return-icmp(13). At that point gw-ext shouldn't emit error
messages because of the default block-policy.

I also noticed that, when I try to ping the host 1.0.0.1 directly from gw-ext
I get a confusing error message:

# ping 1.0.0.1
PING 1.0.0.1 (1.0.0.1): 56 data bytes
ping: sendto: No route to host

This is plain wrong. First, there is a route to that network in the routing
table. Second, I even get that message when I tell pf to silently block and
not return anything.

What is going on here? To me, this is not consistent behaviour at all. How
can I get a nice "admin prohibited" error while shutting up pf about the
normal unreachable which I think shouldn't be there in the first place?

TIA

Best regards,

ND