amd64/147789: Firewall PF no longer drops connections by sending TCP RST packets

sebastien boggia sebastien.boggia at unistra.fr
Fri Jun 11 14:00:17 UTC 2010 

>Number:         147789
>Category:       amd64
>Synopsis:       Firewall PF no longer drops connections by sending TCP RST packets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-amd64
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 11 14:00:16 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     sebastien boggia
>Release:        8.0-RELEASE-p2
>Organization:
university of strasbourg
>Environment:
FreeBSD ash.u-strasbg.fr 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #1: Fri Feb 26 13:11:24 UTC 2010     root at fbsd8-64:/usr/obj/usr/src/sys/SMP8-64  amd64
>Description:
We upgraded our firewall from FreeBSD 6.4 to FreeBSD 8.0 and now we have a problem with pf and IPv6, the return-rst rules no longer works.

FreeBSD ash.u-strasbg.fr 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #1: Fri Feb 26 13:11:24 UTC 2010 root at fbsd8-64:/usr/obj/usr/src/sys/SMP8-64 amd64 

When a packet matches the following rule, the system should reply to the source address with a TCP RST packet in order to drop the connection.

block return-rst in quick log on { $int_if $int_carp_if } inet6 proto tcp from any to any port { $port_autorises_host_wifi }

It worked on FreeBSD 6.4 but no on FreeBSD 8.0.

With tcpdump on pfog0 we can see the packets matching the rule. 

..
tcpdump -en -s0 -i pflog0                                        
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes

15:53:43.725574 rule 320/0(match): block in on vlan900: fe80::226:5eff:fe01:b33e.38423 > 2001:660:2402::90.443: Flags [S], seq 1947608384, win 5760, options [mss 1440,sackOK,TS val 6811328 ecr 0,nop,wscale 6], length 0
15:53:45.488687 rule 318/0(match): block in on vlan900: 2001:660:2402:2001:85ee:f2ca:8cae:61f1.54489 > 2a00:1450:4001:1::13.80: Flags [S], seq 792126535, win 8192, options [mss 1440,nop,wscale 2,nop,nop,sackOK], length 0
..
>How-To-Repeat:
This is the network configuration on the server :

vlan818: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3<RXCSUM,TXCSUM>
        ether 00:26:55:1a:b9:fc
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 fe80::226:55ff:fe1a:b9fc%vlan818 prefixlen 64 scopeid 0x6 
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 818 parent interface: bce0
vlan212: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3<RXCSUM,TXCSUM>
        ether 00:26:55:1a:b9:fc
        inet 130.79.208.186 netmask 0xfffffff8 broadcast 130.79.208.191
        inet6 fe80::226:55ff:fe1a:b9fc%vlan212 prefixlen 64 scopeid 0x7 
        inet6 2001:660:2402:7::2 prefixlen 64 
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 212 parent interface: bce0
vlan900: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3<RXCSUM,TXCSUM>
        ether 00:26:55:1a:b9:fc
        inet 172.17.255.253 netmask 0xffff0000 broadcast 172.17.255.255
        inet6 fe80::226:55ff:fe1a:b9fc%vlan900 prefixlen 64 scopeid 0x8 
        inet6 2001:660:2402:2001:fe:: prefixlen 64 
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 900 parent interface: bce0
carp212: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 130.79.208.185 netmask 0xfffffff8 
        inet6 2001:660:2402:7::1 prefixlen 64 
        carp: MASTER vhid 150 advbase 1 advskew 0
carp900: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 172.17.255.254 netmask 0xffff0000 
        inet6 2001:660:2402:2001:ff:: prefixlen 64 
        carp: MASTER vhid 150 advbase 1 advskew 0


Following an extract of the pf.conf file :

carp_if="{vlan212,vlan900}"
ext_carp_if="carp212"
int_carp_if="carp900"
ext_if="vlan212"
int_if="vlan900"

set debug urgent
set limit { states 600000 , frags 10000 , src-nodes 100000 }
set timeout interval 5
set optimization normal
scrub in all fragment crop no-df

port_autorises_host_wifi = "smtp, ssh, http, 8080, https, imaps, 1993, \
                            pop3s, ldap, ldaps, ntp, 8443, 3389, rsync, \
                            nntp, 5999, 465, 1194, 1232, 5222, 5223, \
                            587, 1723, 1701, 5060, 5061, 5062, irc, ircs, \
                            6665, 6666, 6667, 6669"

block return-rst in quick log on { $int_if $int_carp_if } inet6 proto tcp from any \
                        to any port { $port_autorises_host_wifi }
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-amd64 mailing list