Bug #3335
closed
Outgoing connections opens the firewall from outside
0%
Description
I have a pfsense with three ports.
These are a LAN (192.168.10.0/24), a DMZ (192.168.30.0/24) and an unused WAN port.
The LAN is configured to reach all other subnets and the DMZ and the WAN are blocked by default.
Now, If I ping from a DMZ client to a LAN client it is blocked.
A ping from the LAN client to the DMZ client is successfully.
This is the behavior I expected.
But now the problem.
If I retry my first ping from the DMZ client to the LAN client directly after the ping from LAN client to the DMZ client,
it is also successfully now.
Furthermore, this ping is successfully as long as the ping tool runs.
FYI:
The prerequisite for this behavior is the same ICMP ID from the LAN client and the DMZ client!
I tested this with WIN XP clients which used the ID 512.
Updated by Jim Pingle almost 12 years ago
- Status changed from New to Rejected
pf matches states based on the ICMP id and source/destination but NOT on type/code. If the required bits match, the traffic is allowed through the state as a valid part of the original connection.
From pf.conf(5):
# pass out/in certain ICMP queries and keep state (ping) # state matching is done on host addresses and ICMP id (not type/code), # so replies (like 0/0 for 8/0) will match queries # ICMP error messages (which always refer to a TCP/UDP packet) are # handled by the TCP/UDP states