Subject: confusing pf behaviour, block drop still returns messages?
To: None <firstname.lastname@example.org>
From: Nino Dehne <email@example.com>
Date: 04/12/2006 01:57:30
consider the following setup
Internet <-> [pppoe0]gw-ext[sip1] <-> [sip2]gw[vlan1] <-> LAN
pppoe0: public address
a client in LAN: 192.168.1.1
gw-ext utilises a pf(4) ruleset that - among other things - blocks bogon
and RFC1918 networks on pppoe0 in both directions:
set block-policy drop
# don't rewrite to/from <evil>, saves a state entry and gets squashed below
# in filter rules
no nat on $ext_if inet from any to <evil>
no rdr on $ext_if inet from <evil> to any
block in log quick on $ext_if inet from any to <evil>
block in log quick on $ext_if inet from <evil> to any
block return-icmp(13) out log quick on $ext_if inet from any to <evil>
block return-icmp(13) out log quick on $ext_if inet from <evil> to any
The idea is to silently drop everything that originates outside our network
in order to not generate traffic to known invalid/bogus destinations,
but to be so kind and return an error for local networks to aid debugging.
However, when I tcpdump on interface vlan1 on host gw, I see two errors:
01:03:00.296138 IP 192.168.0.254 > 192.168.1.1: icmp 36: host 184.108.40.206 unreachable - admin prohibited filter
01:03:00.296352 IP 192.168.0.254 > 192.168.1.1: icmp 36: host 220.127.116.11 unreachable
The first is expected, the second isn't. The second message even persists
when I remove the return-icmp(13). At that point gw-ext shouldn't emit error
messages because of the default block-policy.
I also noticed that, when I try to ping the host 18.104.22.168 directly from gw-ext
I get a confusing error message:
# ping 22.214.171.124
PING 126.96.36.199 (188.8.131.52): 56 data bytes
ping: sendto: No route to host
This is plain wrong. First, there is a route to that network in the routing
table. Second, I even get that message when I tell pf to silently block and
not return anything.
What is going on here? To me, this is not consistent behaviour at all. How
can I get a nice "admin prohibited" error while shutting up pf about the
normal unreachable which I think shouldn't be there in the first place?