Traceroute / ICMP issue after 24.7.1 update

[doktornotor]

Might also be possible to confirm with pfctl -d / test traceroute / pfctl -e as a quick test that pf is doing it.

Well yes, disabling the firewall fixes the problem, feel much safer now compared to leaking replies to ping. 

You can revert the kernel as suggested.

That brings back the kernel that panics with IPS, doesn't it? Just as a warning for people. Might rather live with broken ICMP for the moment.

Now, this crafted ping packets nonsense reminds me of this rant I wrote almost 20 years ago.

Ugh.

[franco]

@doktornotor Are you using Xen?

[doktornotor]

@doktornotor Are you using Xen?

Just for some testing.

[Patrick M. Hausen]

Now, this crafted ping packets nonsense reminds me of this rant I wrote almost 20 years ago.

http://www.ranum.com/security/computer_security/papers/a1-firewall/index.html

 

[franco]

@doktornotor

# opnsense-update -zkr 24.7-xen3

I'll leave it there for a while longer then.


Cheers,
Franco

[doktornotor]

@doktornotor

http://www.ranum.com/security/computer_security/papers/a1-firewall/index.html

 

LMAO! Printed that to PDF. 

@doktornotor

# opnsense-update -zkr 24.7-xen3

I'll leave it there for a while longer then.

Thanks, will be potentially useful for others as well.

[doktornotor]

Jokes aside this should probably be reported to https://bugs.freebsd.org but at this point I have no hopes somebody even cares giving the number of past and pending issues in that general direction.

Done if someone here wants to chime in there - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701, I most likely won't have time to follow the usual requested steps to reproduce an apparent bug just because it manifests on OPNsense instead of "vanilla" FreeBSD.

[tokade]

# opnsense-update -zkr 24.7-xen3

I'll leave it there for a while longer then.

What are the differences and benefits of that "xen Kernel"?

[franco]

This was the 24.7.1 kernel state before the FreeBSD security advisories hit yesterday with all pressing user reported things fixed.


Cheers,
Franco

[doktornotor]

@franco - added so far requested info (seems to go well as usual  ) to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701; if people want to take over from there, I really don't have days to debug this. 

Summary:
- 24.7 or 24.7-xen3 -> working traceroute
- 24.7.1 - traceroute broken.
- reproduced on a box with default OPNsense firewall rules, DHCP WAN, default LAN.

Wondering who's testing these patches on "stable" really. Sigh.

[tokade]

So it is not a special kernel which should be generally used with opnsense in a Xen hypervisor scenario?

[franco]

xen, xen2 and xen3 were test patch iterations while working on IPS/netmap crashes within Xen since the problem appeared with FreeBSD 14.1. It was fixed. It's included in 24.7.1 too.


Cheers,
Franco

[tokade]

Thx Franco for the clarification and your relentless commitment

[opnfwb]

I'm on a bare metal install and also seeing the ICMP issue on traceroutes. Screenshot of my liveview log attempt to run mtr to one of quad9's IPV6 servers.

[motoridersd]

@doktornotor

# opnsense-update -zkr 24.7-xen3

I'll leave it there for a while longer then.


Cheers,
Franco

Is this supposed to revert to a kernel that has the expected ICMP behavior?