[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Ping response going out the wrong interface



Using pf on OpenBSD 3.6 (GENERIC) ...
I previously posted about a firewall system based on pf, with two wan interfaces
and a routing problem that led to tcp responses going out the wrong port. I
thought that I had a temporary workaround by not creating a specific static
route but still do not know the solution.
This morning I decided to investigate the source of traffic on one of those
interfaces, and found that my ISP is sending quite a few pings. There is a
block of 8 addresses and all are getting pinged at a slow rate, but repeatedly.
The reason ? The system is sending ping responses out through the other WAN port
and thus get dropped at the far end. To be more specific, an incoming ping on
fxp2 arrives. The system sends the echo reply out fxp1.
I don't know how my pf.conf could create such a situation, the logic for icmp is
very simple:
icmp_types = "{ echoreq, unreach }"
pass in on $ext_if1 inet proto icmp all icmp-type $icmp_types keep state
pass in on $ext_if2 inet proto icmp all icmp-type $icmp_types keep state
pass out on $ext_if1 proto { udp, icmp } all keep state
pass out on $ext_if2 proto { udp, icmp } all keep state
HELP!