From ted@black.impulse.net  Tue Nov  2 00:35:22 2004
Return-Path: <ted@black.impulse.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A34FE16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  2 Nov 2004 00:35:22 +0000 (GMT)
Received: from black.impulse.net (black.impulse.net [64.4.129.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7080643D1F
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  2 Nov 2004 00:35:20 +0000 (GMT)
	(envelope-from ted@black.impulse.net)
Received: from black.impulse.net (localhost [127.0.0.1])
	by black.impulse.net (8.12.6/8.12.6) with ESMTP id iA20ZKp2001301
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 1 Nov 2004 16:35:20 -0800 (PST)
	(envelope-from ted@black.impulse.net)
Received: (from ted@localhost)
	by black.impulse.net (8.12.6/8.12.6/Submit) id iA20ZJY7001300;
	Mon, 1 Nov 2004 16:35:19 -0800 (PST)
Message-Id: <200411020035.iA20ZJY7001300@black.impulse.net>
Date: Mon, 1 Nov 2004 16:35:19 -0800 (PST)
From: Ted Cabeen <ted@impulse.net>
Reply-To: Ted Cabeen <ted@impulse.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ipf blocks echo replies with keep state on pass out icmp line
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         73399
>Category:       kern
>Synopsis:       ipf blocks echo replies with keep state on pass out icmp line
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 02 00:40:23 GMT 2004
>Closed-Date:    Wed Nov 03 21:13:55 GMT 2004
>Last-Modified:  Wed Nov  3 21:20:20 GMT 2004
>Originator:     Ted Cabeen
>Release:        FreeBSD 5.3-RC2 i386
>Organization:
Impulse Internet Services
>Environment:
System: FreeBSD black.impulse.net 5.3-RC2.
Kernel config:
#
# BLACK -- Configuration for the Impulse Backup Server
#

machine		i386
#cpu		I486_CPU
#cpu		I586_CPU
cpu		I686_CPU
ident		BLACK

# To statically compile in device wiring instead of /boot/device.hints
#hints		"GENERIC.hints"		# Default places to look for devices.

options 	SCHED_4BSD		# ULE scheduler is broken
options 	INET			# InterNETworking
options 	INET6			# IPv6 communications protocols
options 	FFS			# Berkeley Fast Filesystem
options 	SOFTUPDATES		# Enable FFS soft updates support
options 	UFS_ACL			# Support for access control lists
options 	UFS_DIRHASH		# Improve performance on big directories
options 	MD_ROOT			# MD is a potential root device
options 	NFSCLIENT		# Network Filesystem Client
options 	MSDOSFS			# MSDOS Filesystem
options 	CD9660			# ISO 9660 Filesystem
options 	PROCFS			# Process filesystem (requires PSEUDOFS)
options 	PSEUDOFS		# Pseudo-filesystem framework
options 	GEOM_GPT		# GUID Partition Tables.
options 	COMPAT_43		# Compatible with BSD 4.3 [KEEP THIS!]
options 	COMPAT_FREEBSD4		# Compatible with FreeBSD4
options 	SCSI_DELAY=15000	# Delay (in ms) before probing SCSI
options 	KTRACE			# ktrace(1) support
options 	SYSVSHM			# SYSV-style shared memory
options 	SYSVMSG			# SYSV-style message queues
options 	SYSVSEM			# SYSV-style semaphores
options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
options 	AHC_REG_PRETTY_PRINT	# Print register bitfields in debug
					# output.  Adds ~128k to driver.
options 	AHD_REG_PRETTY_PRINT	# Print register bitfields in debug
					# output.  Adds ~215k to driver.
options 	ADAPTIVE_GIANT		# Giant mutex is adaptive.

# Bus support.  Do not remove isa, even if you have no isa slots
device		isa
#device		eisa
device		pci

# Floppy drives
device		fdc

# ATA and ATAPI devices
device		ata
device		atadisk		# ATA disk drives
device		ataraid		# ATA RAID drives
device		atapicd		# ATAPI CDROM drives
device		atapifd		# ATAPI floppy drives
device		atapist		# ATAPI tape drives
options 	ATA_STATIC_ID	# Static device numbering

# atkbdc0 controls both the keyboard and the PS/2 mouse
device		atkbdc		# AT keyboard controller
device		atkbd		# AT keyboard
device		psm		# PS/2 mouse

device		vga		# VGA video card driver

#device		splash		# Splash screen and screen saver support

# syscons is the default console driver, resembling an SCO console
device		sc

# Enable this for the pcvt (VT220 compatible) console driver
#device		vt
#options 	XSERVER		# support for X server on a vt console
#options 	FAT_CURSOR	# start with block cursor

device		agp		# support several AGP chipsets

# Floating point support - do not disable.
device		npx

# Power management support (see NOTES for more options)
device		apm
# Add suspend/resume support for the i8254.
device		pmtimer

# Serial (COM) ports
device		sio		# 8250, 16[45]50 based serial ports

# If you've got a "dumb" serial or parallel PCI card that is
# supported by the puc(4) glue driver, uncomment the following
# line to enable it (connects to the sio and/or ppc drivers):
#device         puc

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device		miibus		# MII bus support
device		fxp		# Intel EtherExpress PRO/100B (82557, 82558)

# Pseudo devices.
device		loop		# Network loopback
device		mem		# Memory and kernel memory devices
device		io		# I/O device
device		random		# Entropy device
device		ether		# Ethernet support
#device		sl		# Kernel SLIP
#device		ppp		# Kernel PPP
device		tun		# Packet tunnel.
device		pty		# Pseudo-ttys (telnet etc)
device		md		# Memory "disks"
device		gif		# IPv6 and IPv4 tunneling
device		faith		# IPv6-to-IPv4 relaying (translation)

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
device		bpf		# Berkeley packet filter

>Description:
  With the following line in /etc/ipf.rules the firewall blocks outbound 
echo replies:
pass out quick on fxp0 proto icmp all keep state

In FreeBSD 4.x, this line works fine, and echo replies are not blocked.

>How-To-Repeat:

Add "pass out quick on fxp0 proto icmp all keep state" to /etc/ipf.rules
near the top of the file to allow outbound packets.

>Fix:

Change the offending line to the following:
pass out quick on fxp0 proto icmp all

However, this doesn't provide the same functionality as the non-functional 
line.

>Release-Note:
>Audit-Trail:

From: Giorgos Keramidas <keramida@freebsd.org>
To: Ted Cabeen <ted@impulse.net>
Cc: bug-followup@freebsd.org
Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line
Date: Tue, 2 Nov 2004 19:19:33 +0200

 On 2004-11-01 16:35, Ted Cabeen <ted@impulse.net> wrote:
 > With the following line in /etc/ipf.rules the firewall blocks outbound
 > echo replies:
 > pass out quick on fxp0 proto icmp all keep state
 
 Can I see the full ruleset?  This seems to be a problem with the ruleset
 you are using.  I just flushed all my ipfilter rules and loaded a simple
 set like this:
 
 : # ipfstat -hnio
 : 0 @1 pass out quick on sis0 proto icmp from any to any keep state
 : 3 @2 pass out quick proto udp from any to any port = 53 keep state
 : empty list for ipfilter(in)
 
 The first rule allows DNS lookups.  The second is the rule you have
 mentioned; I've only changed fxp0 to sis0, my interface name.
 
 Outgoing icmp echo requests are passed as expected, and their incoming
 icmp echo replies are also allowed:
 
 : # ping www.otenet.gr
 : PING www.otenet.gr (62.103.128.200): 56 data bytes
 : 64 bytes from 62.103.128.200: icmp_seq=0 ttl=120 time=636.550 ms
 : ^C
 : --- www.otenet.gr ping statistics ---
 : 2 packets transmitted, 1 packets received, 50% packet loss
 : round-trip min/avg/max/stddev = 636.550/636.550/636.550/0.000 ms
 
 Incoming echo requests do not receive a reply, because there is no
 matching state to allow them in and there is no explicit allow rule for
 incoming echo requests.  Hence, echo replies are never sent from my
 workstation, unless I also add:
 
 : pass in quick on sis0 proto icmp from any to any keep state
 
 This is not a bug though.
 

From: Ted Cabeen <ted@impulse.net>
To: Giorgos Keramidas <keramida@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out
 icmp line
Date: Tue, 02 Nov 2004 10:27:58 -0800

 Giorgos Keramidas <keramida@freebsd.org> writes:
 
 > On 2004-11-01 16:35, Ted Cabeen <ted@impulse.net> wrote:
 >> With the following line in /etc/ipf.rules the firewall blocks outbound
 >> echo replies:
 >> pass out quick on fxp0 proto icmp all keep state
 >
 > Can I see the full ruleset?  This seems to be a problem with the ruleset
 > you are using.  I just flushed all my ipfilter rules and loaded a simple
 > set like this:
 >
 > : # ipfstat -hnio
 > : 0 @1 pass out quick on sis0 proto icmp from any to any keep state
 > : 3 @2 pass out quick proto udp from any to any port = 53 keep state
 > : empty list for ipfilter(in)
 >
 > The first rule allows DNS lookups.  The second is the rule you have
 > mentioned; I've only changed fxp0 to sis0, my interface name.
 >
 > Outgoing icmp echo requests are passed as expected, and their incoming
 > icmp echo replies are also allowed:
 >
 > : # ping www.otenet.gr
 > : PING www.otenet.gr (62.103.128.200): 56 data bytes
 > : 64 bytes from 62.103.128.200: icmp_seq=0 ttl=120 time=636.550 ms
 > : ^C
 > : --- www.otenet.gr ping statistics ---
 > : 2 packets transmitted, 1 packets received, 50% packet loss
 > : round-trip min/avg/max/stddev = 636.550/636.550/636.550/0.000 ms
 >
 > Incoming echo requests do not receive a reply, because there is no
 > matching state to allow them in and there is no explicit allow rule for
 > incoming echo requests.  Hence, echo replies are never sent from my
 > workstation, unless I also add:
 >
 > : pass in quick on sis0 proto icmp from any to any keep state
 
 Outgoing echo requests work fine on this machine.  It's inbound
 responses that are having problems.
 
 Here's my full ruleset.  I have a rule allowing inbound echo requests,
 so it should allow the outbound reply packets.  What's interesting to
 me is that the exact same ruleset works fine on 4.X machines.
 
 -------------
 # IP filtering rules.  See the ipf(5) man page for more
 # information on the format of this file, and /usr/share/ipf
 # for example configuration files.
 
 ##
 ## Permit all localhost stuff
 ##
 pass in quick on lo0 all
 pass out quick on lo0 all
 
 ##
 ## Permit outbound stuff, except peculiar things.
 ##
 pass out quick on fxp0 proto udp all keep state
 pass out quick on fxp0 proto icmp all keep state
 pass out quick on fxp0 proto tcp all keep state
 block out log from 127.0.0.0/8 to any
 block out log from any to 127.0.0.0/8
 block out log from any to black
 
 ##
 ## Block & log wacky stuff: options, shorts, spoofs, etc.
 ##
 #block in log quick from any to any with ipopts
 #block in log quick proto tcp from any to any with short
 
 ##
 ## More specifically, block from/to localhost and invalid networks
 ##
 block in log quick from 192.168.0.0/16 to any
 block in log quick from 172.16.0.0/12 to any
 block in log quick from 10.0.0.0/8 to any
 block in log quick on fxp0 from 127.0.0.0/8 to any 
 block in log quick on fxp0 from 0.0.0.0/8 to any
 block in log quick on fxp0 from 169.254.0.0/16 to any
 block in log quick on fxp0 from 192.0.2.0/24 to any
 block in log quick on fxp0 from 204.152.64.0/23 to any
 block in log quick on fxp0 from 224.0.0.0/3 to any
 block in log quick on fxp0 from black to any 
 block out log quick on fxp0 from any to 192.168.0.0/16
 block out log quick on fxp0 from any to 172.16.0.0/12
 block out log quick on fxp0 from any to 10.0.0.0/8
 block out log quick on fxp0 from any to 0.0.0.0/8
 block out log quick on fxp0 from any to 127.0.0.0/8
 block out log quick on fxp0 from any to 169.254.0.0/16
 block out log quick on fxp0 from any to 192.0.2.0/24
 block out log quick on fxp0 from any to 204.152.64.0/23
 block out log quick on fxp0 from any to 224.0.0.0/3
 
 ##
 ## ICMP rules
 ##
 pass in quick on fxp0 proto icmp from any to black icmp-type 0
 pass in quick on fxp0 proto icmp from any to black icmp-type 8
 pass in quick on fxp0 proto icmp from any to black icmp-type 11
 
 # Allow SSH in from 64 net
 pass in quick proto tcp from 207.154.64.0/23 to black port = 22 flags S keep state 
 pass in quick proto tcp from 64.4.129.0/24 to black port = 22 flags S keep state 
 
 # Allow monitoring from demon
 pass in quick proto udp from 207.154.64.163/32 to black port = 161 keep state
 pass in quick proto tcp from 207.154.64.163/32 to black port = 5666 flags S keep state
 
 # Allow Amanda from 64 net
 pass in quick proto udp from 207.154.64.0/24 port = 10080 to black keep state
 pass in quick proto udp from 207.154.84.24/32 port = 10080 to black keep state
 pass in quick proto tcp from 207.154.64.174/32 to 207.154.64.33/32 port = 63425 flags S keep state
 
 ##
 ## Block and log inbound traffic, just in case.
 ##
 block return-rst in log quick on fxp0 proto tcp all
 block return-icmp(port-unr) in log quick on fxp0 proto udp all
 block in log on fxp0 all 
 
 
 -- 
 Ted Cabeen
 Sr. Systems/Network Administrator
 Impulse Internet Services

From: Giorgos Keramidas <keramida@freebsd.org>
To: Ted Cabeen <ted@impulse.net>
Cc: bug-followup@freebsd.org
Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line
Date: Wed, 3 Nov 2004 00:30:30 +0200

 On 2004-11-02 10:27, Ted Cabeen <ted@impulse.net> wrote:
 > Giorgos Keramidas <keramida@freebsd.org> writes:
 > > On 2004-11-01 16:35, Ted Cabeen <ted@impulse.net> wrote:
 > >> With the following line in /etc/ipf.rules the firewall blocks outbound
 > >> echo replies:
 > >> pass out quick on fxp0 proto icmp all keep state
 > >
 > > Can I see the full ruleset?  This seems to be a problem with the ruleset
 > > you are using.
 >
 !grep icmp rules
 > pass out quick on fxp0 proto icmp all keep state
 > pass in quick on fxp0 proto icmp from any to black icmp-type 0
 > pass in quick on fxp0 proto icmp from any to black icmp-type 8
 > pass in quick on fxp0 proto icmp from any to black icmp-type 11
 > block return-icmp(port-unr) in log quick on fxp0 proto udp all
 
 Your ruleset uses `keep state' for outgoing icmps but not for the icmp-types
 0, 8 and 11.  I'm not sure how ipfilter keeps states internally, but can you
 try one of the following?
 
 a. Add 'keep state' to the input rules too, or
 
 b. Replace all your icmp rules with a pair like this:
 
 	pass in icmp all
 	pass out icmp all
 
 If (a) doesn't work but (b) works, we'll have to look at this in more
 detail.  If they both work, it's probably a lot faster to keep (b) and
 use the net.inet.icmp.icmplim sysctl to limit the rate of icmp packets ;-)
 

From: Ted Cabeen <ted@impulse.net>
To: Giorgos Keramidas <keramida@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out
 icmp line
Date: Wed, 03 Nov 2004 11:09:17 -0800

 Giorgos Keramidas <keramida@freebsd.org> writes:
 
 > On 2004-11-02 10:27, Ted Cabeen <ted@impulse.net> wrote:
 >> Giorgos Keramidas <keramida@freebsd.org> writes:
 >> > On 2004-11-01 16:35, Ted Cabeen <ted@impulse.net> wrote:
 >> >> With the following line in /etc/ipf.rules the firewall blocks outbound
 >> >> echo replies:
 >> >> pass out quick on fxp0 proto icmp all keep state
 >> >
 >> > Can I see the full ruleset?  This seems to be a problem with the ruleset
 >> > you are using.
 >>
 > !grep icmp rules
 >> pass out quick on fxp0 proto icmp all keep state
 >> pass in quick on fxp0 proto icmp from any to black icmp-type 0
 >> pass in quick on fxp0 proto icmp from any to black icmp-type 8
 >> pass in quick on fxp0 proto icmp from any to black icmp-type 11
 >> block return-icmp(port-unr) in log quick on fxp0 proto udp all
 >
 > Your ruleset uses `keep state' for outgoing icmps but not for the icmp-types
 > 0, 8 and 11.  I'm not sure how ipfilter keeps states internally, but can you
 > try one of the following?
 >
 > a. Add 'keep state' to the input rules too, or
 >
 > b. Replace all your icmp rules with a pair like this:
 >
 > 	pass in icmp all
 > 	pass out icmp all
 >
 > If (a) doesn't work but (b) works, we'll have to look at this in more
 > detail.  If they both work, it's probably a lot faster to keep (b) and
 > use the net.inet.icmp.icmplim sysctl to limit the rate of icmp packets ;-)
 
 (a) works, so I'll probably just go with that.  Thanks for the input.
 
 -- 
 Ted Cabeen
 Sr. Systems/Network Administrator
 Impulse Internet Services
State-Changed-From-To: open->closed 
State-Changed-By: keramida 
State-Changed-When: Wed Nov 3 21:08:03 GMT 2004 
State-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=73399 

From: Giorgos Keramidas <keramida@freebsd.org>
To: ted@impulse.net
Cc: bug-followup@freebsd.org
Subject: Re: kern/73399: ipf blocks echo replies with keep state on pass out icmp line
Date: Wed, 3 Nov 2004 23:18:08 +0200

 On 2004-11-03 21:13, Giorgos Keramidas <keramida@freebsd.org> wrote:
 > State-Changed-From-To: open->closed
 > State-Changed-By: keramida
 > State-Changed-When: Wed Nov 3 21:08:03 GMT 2004
 > State-Changed-Why:
 
 Hmmm, sorry for that.  My ssh connection died while I still had a vi(1)
 session open.  Then edit-pr got confused when I reconnected and killed
 vi(1).  The real reason for the close was:
 
 : The submitter verified that adding state keeping options to the input icmp
 : rules too fixed his firewall. This isn't an ipfilter bug, just a change from
 : the behavior of ipf he was used to in older FreeBSD versions.
 :
 : Nevertheless, thank you Ted, for reporting what you perceived as a problem.
 : We appreciate all the help we can get in improving FreeBSD.
 :
 : Thanks!
 
>Unformatted:
