Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    "reject" rule and icmp.

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      apollo13
      last edited by

      I have a rule for testing purposes which is set to reject and destination 33.33.33.33. Now if I try telnet, pfsense will immediately close the tcp connection, so far so good. If I use ping instead, pfsense just drops the icmp echo request and does not send icmp unreachable or anything back. According to https://redmine.pfsense.org/issues/2452 this appears to be intended behavior. Can anyone explain why?

      Thanks,
      Florian

      1 Reply Last reply Reply Quote 0
      • C Offline
        cmb
        last edited by

        That's the nature of how pf functions. Its reject will send a RST for TCP, an unreachable for UDP, and nothing for all other protocols.

        For ICMP in particular, RFC 792's "To avoid the infinite regress of messages about messages etc., no ICMP messages are sent about ICMP messages." is likely why.

        1 Reply Last reply Reply Quote 0
        • A Offline
          apollo13
          last edited by

          Ah thank you, the pf docs said "This causes a TCP RST to be returned for tcp(4) packets and an ICMP UNREACHABLE for UDP and other packets." – so I expected an ICMP return even for ICMP.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.