[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ICMP record route
- To: "Alain Deschamps" <obsd-tech_(_at_)_alain_(_dot_)_deschamps_(_dot_)_name>, <tech_(_at_)_openbsd_(_dot_)_org>
- Subject: Re: ICMP record route
- From: "Pillai, Gopakumar (Gopu)" <gopu_(_at_)_avaya_(_dot_)_com>
- Date: Mon, 4 Aug 2003 15:00:11 -0600
- Thread-index: AcNYzMX2lzha7fjjSLCF4bgKISYm8wB+r9TA
- Thread-topic: ICMP record route
Yes, It works, when I add specific rule it works, or when I disable PF
then the record route ICMP packets gets forwarded. Thanks a lot.
Now these are the things I found:
If I put these rules it does not forward packets.
pass in all allow-opts
pass out all allow-opts
If I put the following it forwards:
pass in proto icmp all allow-opts
pass out proto icmp all allow-opts
My typical scenario is to allow requests go out and replies to come in.
No block rules for traffic from trusted side (private) to come in to the
forwarder, no block rules going out the public interface either. Block
all rules coming in on untrusted interface (public).
But looks like keep state is not much of use here:
pass out proto icmp all keep state allow-opts
The above does not work, since the default behavior is to block on all
interfaces. I have to add an explicit rule to let the request packet
come in first i.e. "pass in on fxp1 proto icmp all allow-opts".
Cosidering the above scenario for allowing normal ICMP packets to go
thru one would need only one rule:
pass out proto icmp all keep state
We need to add two rule if options are set, then is keep-state with
allow-opts doing its job?
If it is an issue I have helped to bring it to OpenBSD's attention
otherwise pls. ignore my ignorance.
From: Alain Deschamps [mailto:obsd-tech_(_at_)_alain_(_dot_)_deschamps_(_dot_)_name]
Sent: Saturday, August 02, 2003 1:04 AM
Subject: Re: ICMP record route
On Fri, 1 Aug 2003 15:35:35 -0600, you wrote:
>I feel the OpenBSD is responding fine, but the main problem I have is
>that it does not forward ICMP packets with the record route options
>set. I have verified that with my system (OpenBSD 3.2 stable).
>From: Federico G. Schwindt [mailto:fgsch_(_at_)_lodoss_(_dot_)_net]
>Sent: Friday, August 01, 2003 2:01 PM
>To: Pillai, Gopakumar (Gopu)
>Subject: Re: ICMP record route
>On Fri, Aug 01, 2003 at 02:26:40PM -0600, Pillai, Gopakumar (Gopu)
>> I am running OpenBSD 3.2 stable. I found that it does not reply to
>> ICMP requests with record route option (tested with "ping -R"
>> More than that, when I setup my OpenBSD box to forward packets
>> interfaces, it does not forward ICMP record route packets.
>> Is this a bug or is it disabled by default in the system?
>> If disabled, how can I enable it.
>> Couldn't find any help on this subject hence bugging you all
>> Thanks in advance
> it works fine for me in -current, don't remember 3.2, tho. this
> belongs to misc anyway.
>PING 192.168.1.1 (192.168.1.1): 56 data bytes
>64 bytes from 192.168.1.1: icmp_seq=0 ttl=63 time=0.798 ms
> xx.xx.xx (xx.xx.xx.xx)
>64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=0.554 ms (same
>64 bytes from 192.168.1.1: icmp_seq=2 ttl=63 time=0.504 ms (same
>--- 192.168.1.1 ping statistics ---
By default IP options are dropped by pf.
Search allow-opts in man pf.conf
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.505 / Virus Database: 302 - Release Date: 7/30/2003