Hello!


Recently I configured pf on my mail gateway (patched OpenBSD-3.3
RELEASE) as follows:
--------------
# pfctl -s all
scrub in all fragment reassemble
block drop all
block return-icmp(proto-unr) in inet all
block return-icmp(port-unr) in inet proto udp all
block return-rst in inet proto tcp all
pass in quick on lo0 inet all
pass out quick on lo0 inet all
block drop in quick inet from 224.0.0.0/4 to any
block drop in quick inet from 240.0.0.0/4 to any
block drop in quick inet from 0.0.0.0/8 to any
block drop in quick inet from 192.0.2.0/24 to any
block drop in quick inet from 169.254.0.0/16 to any
block drop in quick inet from 198.18.0.0/15 to any
block drop in quick inet from 127.0.0.0/8 to any
block drop in quick inet from any to 224.0.0.0/4
block drop in quick inet from any to 240.0.0.0/4
block drop in quick inet from any to 0.0.0.0/8
pass in quick on fxp0 inet proto tcp from any to 192.168.150.13 port =
smtp flags S/SA keep state (max 4096)
pass in quick on fxp0 inet proto tcp from any to 192.168.150.13 port =
ssh flags S/SA keep state (max 17)
pass in quick on fxp0 inet proto udp from any to 192.168.150.13 port
33433 >< 33690 keep state (max 127)
pass in quick on fxp0 inet proto icmp from any to 192.168.150.13
icmp-type echoreq code 0 keep state (max 127)
pass out quick on fxp0 inet proto tcp from 192.168.150.13 to any flags
S/SA keep state
pass out quick on fxp0 inet proto udp from 192.168.150.13 to any keep state
pass out quick on fxp0 inet proto icmp from 192.168.150.13 to any
icmp-type echoreq code 0 keep state
icmp 192.168.150.13:63312 <- 192.168.150.254:63312 0:0
[cut]
Status: Enabled for 0 days 18:42:44 Debug: None

State Table Total Rate
current entries 197
searches 9738453 144.6/s
inserts 665295 9.9/s
removals 665098 9.9/s
Counters
match 4421401 65.6/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 426 0.0/s
normalize 36 0.0/s
memory 0 0.0/s
tcp.first 3600s
tcp.opening 900s
tcp.established 432000s
tcp.closing 3600s
tcp.finwait 600s
tcp.closed 180s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
states hard limit 10000
frags hard limit 5000
---------------------

After that I checked that smtp, ssh, ping, traceroute worked and
scanned this host with nmap:
-------------------------------
# nmap -sO -v -r 192.168.150.13
-------------------------------

nmap said that all protocols are open (??).
I looked at tcpdump output made during the scan -
there were no icmp "proto-unr" packets (??!).

Can anybody explain me such behaviour of pf?
I expected to find icmp "proto-unr" in the tcpdump output.


--
Alexei Malinin,
Chief Specialist of
Network Technologies Department,
ECom-IT Limited, Moscow
Basic Element Inc., Russia