Traceroute / ICMP issue after 24.7.1 update

[doktornotor]

Might also be possible to confirm with pfctl -d / test traceroute / pfctl -e as a quick test that pf is doing it.

Well yes, disabling the firewall fixes the problem, feel much safer now compared to leaking replies to ping.  ;D :P

You can revert the kernel as suggested.

That brings back the kernel that panics with IPS, doesn't it? Just as a warning for people. Might rather live with broken ICMP for the moment.

Now, this crafted ping packets nonsense reminds me of this rant I wrote almost 20 years ago.

Ugh.

[franco]

@doktornotor Are you using Xen?

[doktornotor]

@doktornotor Are you using Xen?

Just for some testing.

[Patrick M. Hausen]

Now, this crafted ping packets nonsense reminds me of this rant I wrote almost 20 years ago.

http://www.ranum.com/security/computer_security/papers/a1-firewall/index.html

8)

[franco]

@doktornotor

# opnsense-update -zkr 24.7-xen3

I'll leave it there for a while longer then.


Cheers,
Franco

[doktornotor]

@doktornotor

http://www.ranum.com/security/computer_security/papers/a1-firewall/index.html

8)

LMAO! Printed that to PDF.  8) ;D

@doktornotor

# opnsense-update -zkr 24.7-xen3

I'll leave it there for a while longer then.

Thanks, will be potentially useful for others as well.

[doktornotor]

Jokes aside this should probably be reported to https://bugs.freebsd.org but at this point I have no hopes somebody even cares giving the number of past and pending issues in that general direction.

Done if someone here wants to chime in there - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701, I most likely won't have time to follow the usual requested steps to reproduce an apparent bug just because it manifests on OPNsense instead of "vanilla" FreeBSD.

[tokade]

# opnsense-update -zkr 24.7-xen3

I'll leave it there for a while longer then.

What are the differences and benefits of that "xen Kernel"?

[franco]

This was the 24.7.1 kernel state before the FreeBSD security advisories hit yesterday with all pressing user reported things fixed.


Cheers,
Franco

[doktornotor]

@franco - added so far requested info (seems to go well as usual  ::)) to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701; if people want to take over from there, I really don't have days to debug this. 

Summary:
- 24.7 or 24.7-xen3 -> working traceroute
- 24.7.1 - traceroute broken.
- reproduced on a box with default OPNsense firewall rules, DHCP WAN, default LAN.

Wondering who's testing these patches on "stable" really. Sigh.

[tokade]

So it is not a special kernel which should be generally used with opnsense in a Xen hypervisor scenario?

[franco]

xen, xen2 and xen3 were test patch iterations while working on IPS/netmap crashes within Xen since the problem appeared with FreeBSD 14.1. It was fixed. It's included in 24.7.1 too.


Cheers,
Franco

[tokade]

Thx Franco for the clarification and your relentless commitment

[opnfwb]

I'm on a bare metal install and also seeing the ICMP issue on traceroutes. Screenshot of my liveview log attempt to run mtr to one of quad9's IPV6 servers.

[motoridersd]

@doktornotor

# opnsense-update -zkr 24.7-xen3

I'll leave it there for a while longer then.


Cheers,
Franco

Is this supposed to revert to a kernel that has the expected ICMP behavior?