pf: ICMP Ping with no state flag set not working

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

pf: ICMP Ping with no state flag set not working

jummo4
Hi,

I have just upgraded a OpenBSD 4.7 firewall to 5.2. The system routes
between $net1 and $net2 with pf enabled. After the upgrade ping request
from $net1 to $net2 get stuck (and vice versa). Only the first icmp
echo-req from $net1 to $net2 get answered by a icmp echo-reply, all
subsequent icmp echo-req are seen on the $net1 interface of the firewall
but no log message in pflog0 or on the $net2 interface.

I use the no state flag for the rules, because the default gateway is not
this system.

pass out
pass in log on $net1_if inet from $net1 to $net2 no state
pass in log on $net2_if inet from $net2 to $net1 no state

I have solved the problem with dedicated ICMP rules after the rules above.

pass in log on $net1_if proto icmp from $net1 to $net2
pass in log on $net2_if proto icmp from $net2 to $net3

Why is only the first ping ok with no state flag set at the pass rule?

Thanks,
Patrick