Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

ping: wrote x.x.x.x 64 chars, ret=-1

359 views

Skip to first unread message

Eugen Aciu

unread,

Mar 7, 2006, 8:48:25 AM3/7/06

I have OpenBSD 3.8 as a router. This is my pf.conf

ext_if="dc0"
int_if="xl0"

tcp_services = "{22, 113}"
icmp_types = "echoreq"
priv_nets = "{127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}"

#options
set block-policy return
#set loginterface $ext_if

#scrub
scrub in all

#nat/redirect
nat on $ext_if from $int_if:network to any ->$ext_if
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

#filter RULES
block all
pass quick on lo0 all

block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to $ext_if port $tcp_services \
flags S/SA keep state
pass in on $ext_if inet proto tcp from port 20 to $ext_if user proxy \
flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto {udp, icmp} all keep state

Everything goes fine, until any connection is lost and the ping command returns:
ping: wrote x.x.x.x 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote x.x.x.x 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote x.x.x.x 64 chars, ret=-1
64 bytes from x.x.x.x: icmp_seq=7 ttl=255 time=0.684 ms
64 bytes from x.x.x.x icmp_seq=8 ttl=255 time=0.306 ms
It doesn't matter if I ping the internal network, or the ISP gateway,
the result is the same: first "no route to host", after a few seconds
i get a reply..
If I comment everything in "RULES" an I put pass all, it's working
with no problems, so I exclude a hardware problem.

Travis H.

unread,

Mar 11, 2006, 10:58:35 PM3/11/06

Convert all your block rules to use "log", sniff on pflog0, with -e and -s 2048

That should tell you what rule is blocking the first few.

My hunch is that some kind of state is getting set up by the ICMP echo
replies, and thus future requests are being passed.

In any case, the "no route to host" suggests that it is pf that is blocking it.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484

0 new messages