kern/127920: pf : ipv6 and synproxy don't play well together
Henri Hennebert
hlh at restart.be
Tue Oct 7 13:00:10 UTC 2008
>Number: 127920
>Category: kern
>Synopsis: pf : ipv6 and synproxy don't play well together
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Oct 07 13:00:09 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Henri Hennebert
>Release: FreeBSD 7.1-PRERELEASE
>Organization:
>Environment:
FreeBSD morzine.restart.bel 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Sat Oct 4 17:19:46 CEST 2008 root at morzine.restart.bel:/usr/obj/usr/src/sys/MORZINE i386
>Description:
My pf.conf:
---begin---
net_if="em0"
set block-policy drop
set debug misc
set loginterface $net_if
set state-policy if-bound
scrub in all
block in log all
block out log all
set skip on lo0
antispoof quick for $net_if inet
pass out quick on $net_if proto { tcp, udp, icmp, icmp6 } all keep state
pass in quick on $net_if proto udp from any to ($net_if) port domain
pass quick inet proto icmp all icmp-type echoreq keep state
pass in quick inet proto icmp all icmp-type unreach code needfrag
pass in quick inet6 proto icmp6 all
pass in quick on $net_if proto tcp from any to ($net_if) port ssh\
flags S/SA synproxy state (source-track rule, max-src-conn-rate 1/5,\
overload <bad_hosts> flush)
pass quick on $net_if proto ipv6
pass quick on $net_if inet6
--- end ---
Note the last rule which allow any IPv6 traffic!
If I `ssh -4` to this box, the connection succeed.
If I `ssh -6` to this box, I get a timeout and the last rule is of no use.
If I comment out the rule with synproxy, `ssh -6` succeed - the last rule allow it.
If I replace `synproxy state` with `keep state` everything is as expected.
Henri
>How-To-Repeat:
see above.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list