kern/51111: ipf doesn't allow outbound IPv6 packets until the rulesets are reloaded

Kirk Strauser kirk at strauser.com
Thu Apr 17 16:50:15 PDT 2003


>Number:         51111
>Category:       kern
>Synopsis:       ipf doesn't allow outbound IPv6 packets until the rulesets are reloaded
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 17 16:50:12 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Kirk Strauser
>Release:        FreeBSD 4.8-STABLE alpha
>Organization:
The Strauser Group
>Environment:
System: FreeBSD gopher.honeypot.net 4.8-STABLE FreeBSD 4.8-STABLE #0: Wed Apr 9 01:23:20 CDT 2003 root at gopher.honeypot.net:/usr/obj/usr/src/sys/GOPHER alpha

The kernel is a slight variant of GENERIC with unneeded drivers commented
out and only these additions:

    # Firewall
    options                IPFILTER
    options                IPFILTER_LOG
    options                IPFILTER_DEFAULT_BLOCK
    
    # Enhanced TCP security
    options                RANDOM_IP_ID

It was compiled with :

    CPUTYPE=ev4
    CFLAGS= -O -pipe -mieee
	
>Description:
ipf doesn't seem to properly process IPv6 rules upon boot.  I have a fairly
simple ruleset that's loaded by /etc/rc.network when the machine starts:

    #### Loopback
    
    pass in quick on lo0 all head 2000
    pass out quick on lo0 all head 2050
    
    #### LAN
    
    block in log quick on fxp1 all head 2100
    block out log quick on fxp1 all head 2150
    
    #### WAN
    
    block in log quick on gif0 all head 2200
    block out log quick on gif0 all head 2250
    
    ######## Exceptions ########
    
    #### LAN
    
    ## Inbound - group 2100
    pass in quick all keep state group 2100
    
    ## Outbound - group 2150
    pass out quick all group 2150
    
    #### WAN
    # Allow in certain ports
    pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a port = domain keep state group 2200
    pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a port = http keep state group 2200
    pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a port = smtp keep state group 2200
    pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a port = ssh keep state group 2200
    pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a port = pop3 keep state group 2200
    pass in quick proto tcp from any to any port = auth keep state group 2200
    pass in quick proto udp from any to any port = ntp keep state group 2200
    pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a port = jabber-server keep state group 2200
    pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a port = jabber-client keep state group 2200
    pass in quick proto tcp/udp from any to any port = 6346 keep state group 2200
    pass in quick proto ipv6-icmp all group 2200
    
    ## Outbound - group 2250
    pass out quick proto tcp/udp all keep state group 2250
    pass out quick proto ipv6-icmp all group 2250

After loading, the kernel's ipf rule table looks like this:

    root at gopher:~# ipfstat -6io
    pass out quick on lo0 from any to any head 2050
    block out log quick on fxp1 from any to any head 2150
    pass out quick from any to any group 2150
    block out log quick on gif0 from any to any head 2250
    pass out quick proto tcp/udp from any to any keep state group 2250
    pass out quick proto ipv6-icmp from any to any group 2250
    pass in quick on lo0 from any to any head 2000
    block in log quick on fxp1 from any to any head 2100
    pass in quick from any to any keep state group 2100
    block in log quick on gif0 from any to any head 2200
    pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = domain keep state group 2200
    pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 80 keep state group 2200
    pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 25 keep state group 2200
    pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 22 keep state group 2200
    pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 110 keep state group 2200
    pass in quick proto tcp from any to any port = 113 keep state group 2200
    pass in quick proto udp from any to any port = 123 keep state group 2200
    pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = jabber-server keep state group 2200
    pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = jabber-client keep state group 2200
    pass in quick proto tcp/udp from any to any port = 6346 keep state group 2200
    pass in quick proto ipv6-icmp from any to any group 2200

The problem is that, despite the apparent correctness of the rules, I can't
ping6 out from the server itself (although I *can* ping6 out from various
Linux and FreeBSD hosts protected by this firewall):

    root at gopher:~# ping6 www.kame.net
    PING6(64=40+8+16 bytes) 3ffe:b80:2:614e::2 --> 3ffe:501:4819:2000:210:f3ff:fe03:4d0
    ^C
    --- apple.kame.net ping6 statistics ---
    34 packets transmitted, 0 packets received, 100% packet loss

If I reload the rules:

    root at gopher:~# ipf -Fa -f /etc/ipf.rules -6 -Fa -f /etc/ipf6.rules

then I have the exact same kernel rule table as before:

    root at gopher:~# ipfstat -6io
    pass out quick on lo0 from any to any head 2050
    block out log quick on fxp1 from any to any head 2150
    pass out quick from any to any group 2150
    block out log quick on gif0 from any to any head 2250
    pass out quick proto tcp/udp from any to any keep state group 2250
    pass out quick proto ipv6-icmp from any to any group 2250
    pass in quick on lo0 from any to any head 2000
    block in log quick on fxp1 from any to any head 2100
    pass in quick from any to any keep state group 2100
    block in log quick on gif0 from any to any head 2200
    pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = domain keep state group 2200
    pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 80 keep state group 2200
    pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 25 keep state group 2200
    pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 22 keep state group 2200
    pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 110 keep state group 2200
    pass in quick proto tcp from any to any port = 113 keep state group 2200
    pass in quick proto udp from any to any port = 123 keep state group 2200
    pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = jabber-server keep state group 2200
    pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = jabber-client keep state group 2200
    pass in quick proto tcp/udp from any to any port = 6346 keep state group 2200
    pass in quick proto ipv6-icmp from any to any group 2200

...except that now I *can* ping6 out from the machine:

    root at gopher:~# ping6 www.kame.net
    PING6(64=40+8+16 bytes) 3ffe:b80:2:614e::2 --> 3ffe:501:4819:2000:210:f3ff:fe03:4d0
    24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=0 hlim=53 time=424.338 ms
    24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=1 hlim=54 time=548.674 ms
    24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=2 hlim=54 time=423.075 ms
    24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=3 hlim=54 time=412.695 ms
    24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=4 hlim=54 time=433.834 ms
    24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=5 hlim=54 time=421.543 ms
    24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=6 hlim=54 time=468.47 ms
    24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=7 hlim=54 time=468.273 ms
    24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=8 hlim=54 time=440.753 ms
    24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=9 hlim=54 time=417.928 ms
    ^C
    --- apple.kame.net ping6 statistics ---
    10 packets transmitted, 10 packets received, 0% packet loss
    round-trip min/avg/max/std-dev = 412.695/445.958/548.674/38.998 ms

Although not detailed above, the same problem holds for outbound TCP/UDP
connections; I can't telnet out until I reload the ruleset.

Also interesting is that no entries appear in /var/log/ipf.log, although other
correctly-blocked packets are logged as expected.
	
>How-To-Repeat:
Boot the machine and notice that it can't connect out via IPv6.  Reload the
ipf6.rules ruleset and connect out as expected.

	
>Fix:

	


>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list