Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ICMP timestamp requests circumvent PF rule

    Firewalling
    1
    1
    201
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      infraweavers
      last edited by

      Hello,

      We have just started running Qualys against our external IP ranges and have confirmed the following bug https://redmine.pfsense.org/issues/13652

      Basically if you scan two sequential IP's using the qualys cloud scanner, it will return that ICMP timestamps are returned from the firewalls (confirmed with packet captures). If you scan a single IP, they are not (again confirmed with a packet capture). The associated WAN rule is:

      pass  in  quick  on $WAN reply-to ( lagg0 <GATEWAY> ) inet proto icmp  from any to (self) icmp-type echoreq tracker 1633694002 keep state  label "USER_RULE"

      Which should permit pings only. We have been trying to reproduce this problem outside of Qualys, however we have been unsuccessful thus far. However, the problem is definitely pfsense because we can see the ICMP TS response packets coming back:

      f1e5a5e8-2dd5-4a8e-b27f-5527d9f2989b-image.png

      Firewall rules in the interface: 198fe3ac-5b7e-4a22-8220-78d5c83751ac-image.png

      Interestingly, if you block all ICMP, then the behaviour goes away and timestamps are never sent. This feels like it's a bug within PF to me, however I'm not sure how to create an easy reproduction case without using Qualys.

      Thanks,

      1 Reply Last reply Reply Quote 0
      • First post
        Last post