kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box

Frank Steinborn steinex at nognu.de
Tue Aug 29 16:40:18 UTC 2006 

>Number:         102647
>Category:       kern
>Synopsis:       Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 29 16:40:16 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Frank Steinborn
>Release:        6.1-RELEASE-p3
>Organization:
>Environment:
FreeBSD shodan.nognu.de 6.1-RELEASE-p3 FreeBSD 6.1-RELEASE-p3 #0: Sun Jul 23 22:12:17 CEST 2006     steinex at shodan.nognu.de:/usr/home/steinex/obj/usr/src/sys/SHODAN  i386
>Description:
Thanks to Max Laier for examining this, I'll just paste him:

Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on the same box.  Culprit seems to be interface selection in inet6 (switching between the interface that has the address configured and lo0).

tcpdump on pflog0 shows that the initial SYN is coming from bge0 (See below for ruleset used).  The reply then comes via lo0 and matches the state (if state-policy is floating).  The third packet (again via bge0) then does no longer match the state - however:

17:51:17.594100 rule 3/0(match): pass in on bge0: 3000::1.54335 > 3000::1.22:
S 3551126931:3551126931(0) win 65535 <mss 1440,nop,wscale 1,nop,nop,timestamp
2188256 0,sackOK,eol>

17:51:17.594150 rule 3/0(match): pass out on lo0: 3000::1.22 > 3000::1.54335:
S 3700289867:3700289867(0) ack 3551126932 win 65535 <mss 1440,nop,wscale
1,nop,nop,timestamp 2188256 2188256,sackOK,eol>

17:51:17.594157 rule 2/0(match): block in on bge0: 3000::1.22 > 3000::1.54335:
S 3700289867:3700289867(0) ack 3551126932 win 65535 <mss 1440,nop,wscale
1,nop,nop,timestamp 2188256 2188256,sackOK,eol>

>How-To-Repeat:
Use this ruleset:

pass quick on lo0 all
pass quick on bge0 inet all
block drop log all
pass in log-all on bge0 inet6 proto tcp from any to 3000::1 port = ssh flags S/SA keep state

Then try to open an inet6-connection to a service running on the firewall itself from the firewall itself.
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list