return-icmp() relative question to ipf rule.

>
> I have a rule I used in ipfilter probably around 2 or so years ago  
> and I am now getting around to trying to implement in it my pf  
> rules. So far any results I have achieved have failed with no  
> response back from the server and get dropped.
>
> The rule in ipf syntax:
> block return-icmp-as-dest(13) in log first quick proto icmp all icmp-
> type 8
>
> The above ipf rule returns a result of "Destination Administratively  
> Prohibited" when ping'd
>
> The following pf syntax:
> block return-icmp(3,13) in quick inet proto icmp from any to any  
> icmp-type 8 code 0
>
> The above pf rule returns a result of "Nothing ........" when ping'd
>
> Just to be sure I wasn't mucking up the chain of rules I added this  
> as the only rule to test it out and have achieved the same result  
> multiple times on a test machine.
>
> Can anyone shed some light on the syntax and help me out with  
> getting this rule to make the system respond to a echo request with  
> admin-prohib as the destination system ?
>
> Thanks
>

> On Oct 10, 2009, at 4:09 AM, jhell wrote:
>
>>
>> I have a rule I used in ipfilter probably around 2 or so years ago and I am
>> now getting around to trying to implement in it my pf rules. So far any
>> results I have achieved have failed with no response back from the server
>> and get dropped.
>>
>> The rule in ipf syntax:
>> block return-icmp-as-dest(13) in log first quick proto icmp all icmp-type 8
>>
>> The above ipf rule returns a result of "Destination Administratively
>> Prohibited" when ping'd
>>
>> The following pf syntax:
>> block return-icmp(3,13) in quick inet proto icmp from any to any icmp-type
>> 8 code 0
>>
>> The above pf rule returns a result of "Nothing ........" when ping'd
>>
>> Just to be sure I wasn't mucking up the chain of rules I added this as the
>> only rule to test it out and have achieved the same result multiple times
>> on a test machine.
>>
>> Can anyone shed some light on the syntax and help me out with getting this
>> rule to make the system respond to a echo request with admin-prohib as the
>> destination system ?
>>
>> Thanks
>>
>
>
> *click* (the light is on)
>
>          Options returning ICMP packets currently have no effect if pf(4)
>          operates on a if_bridge(4), as the code to support this feature has
>          not yet been implemented.
>
> from the Manual page. I think that answers the question?
>

>
> On Mon, 26 Oct 2009 09:18, remko@ wrote:
>> On Oct 10, 2009, at 4:09 AM, jhell wrote:
>>
>>> I have a rule I used in ipfilter probably around 2 or so years ago  
>>> and I am now getting around to trying to implement in it my pf  
>>> rules. So far any results I have achieved have failed with no  
>>> response back from the server and get dropped.
>>> The rule in ipf syntax:
>>> block return-icmp-as-dest(13) in log first quick proto icmp all  
>>> icmp-type 8
>>> The above ipf rule returns a result of "Destination  
>>> Administratively Prohibited" when ping'd
>>> The following pf syntax:
>>> block return-icmp(3,13) in quick inet proto icmp from any to any  
>>> icmp-type 8 code 0
>>> The above pf rule returns a result of "Nothing ........" when ping'd
>>> Just to be sure I wasn't mucking up the chain of rules I added  
>>> this as the only rule to test it out and have achieved the same  
>>> result multiple times on a test machine.
>>> Can anyone shed some light on the syntax and help me out with  
>>> getting this rule to make the system respond to a echo request  
>>> with admin-prohib as the destination system ?
>>> Thanks
>>
>>
>> *click* (the light is on)
>>
>>         Options returning ICMP packets currently have no effect if  
>> pf(4)
>>         operates on a if_bridge(4), as the code to support this  
>> feature has
>>         not yet been implemented.
>>
>> from the Manual page. I think that answers the question?
>>
>
> Thanks Remko,
>
> No I'm not using if_bridge(4) here, nor any bridge for that matter.  
> I have tested this directly from interface -> interface with a patch  
> cable thinking that the click that I heard from the light above  
> would actually turn something on but was just throwing a breaker.

> On Oct 26, 2009, at 4:02 PM, jhell wrote:
>
>>
>> On Mon, 26 Oct 2009 09:18, remko@ wrote:
>>> On Oct 10, 2009, at 4:09 AM, jhell wrote:
>>>
>>>> I have a rule I used in ipfilter probably around 2 or so years ago and I
>>>> am now getting around to trying to implement in it my pf rules. So far
>>>> any results I have achieved have failed with no response back from the
>>>> server and get dropped.
>>>> The rule in ipf syntax:
>>>> block return-icmp-as-dest(13) in log first quick proto icmp all icmp-type
>>>> 8
>>>> The above ipf rule returns a result of "Destination Administratively
>>>> Prohibited" when ping'd
>>>> The following pf syntax:
>>>> block return-icmp(3,13) in quick inet proto icmp from any to any
>>>> icmp-type 8 code 0
>>>> The above pf rule returns a result of "Nothing ........" when ping'd
>>>> Just to be sure I wasn't mucking up the chain of rules I added this as
>>>> the only rule to test it out and have achieved the same result multiple
>>>> times on a test machine.
>>>> Can anyone shed some light on the syntax and help me out with getting
>>>> this rule to make the system respond to a echo request with admin-prohib
>>>> as the destination system ?
>>>> Thanks
>>>
>>>
>>> *click* (the light is on)
>>>
>>>        Options returning ICMP packets currently have no effect if pf(4)
>>>        operates on a if_bridge(4), as the code to support this feature has
>>>        not yet been implemented.
>>>
>>> from the Manual page. I think that answers the question?
>>>
>>
>> Thanks Remko,
>>
>> No I'm not using if_bridge(4) here, nor any bridge for that matter. I have
>> tested this directly from interface -> interface with a patch cable
>> thinking that the click that I heard from the light above would actually
>> turn something on but was just throwing a breaker.
>
>
> OK, yes I understand what you mean. I over-read the bridge part. My apologies
> for the confusion this caused. I am not sure whether it then should or should
> not work though. One thing that I noticed is that you speak about
> 'it was in IPF and it isn't in PF', please keep in mind that PF is a complete
> rewrite and looks similiar to IPF with syntax etc. Features found there are
> no guarantee that it will be in PF as well. Doesn't make up the fact that the
> documentation indeed talks about it being possible and seemingly impossible
> to do it.
>
> I added Max to the discussion, he might be able to tell whether or not this
> is integrated and whether it should work at all :-)
>
> Thanks for catching my misread part!
>