kern/148689: [ipfw2] antispoof wrongly triggers on link local IPv6 addresses

Alexander alexander at wittig.name
Fri Jul 16 18:20:07 UTC 2010 

>Number:         148689
>Category:       kern
>Synopsis:       [ipfw2] antispoof wrongly triggers on link local IPv6 addresses
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 16 18:20:06 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Alexander
>Release:        8.1-PRERELEASE
>Organization:
Wittig
>Environment:
FreeBSD hotzenplotz.wittig.name 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #2: Tue Jul 13 11:09:46 CEST 2010     root at hotzenplotz.wittig.name:/usr/obj/usr/src/sys/ALEX  amd64
>Description:
It seems as if the IPFW2 option "antispoof" is not properly implemented for IPv6 packages.
The rule "deny ip from any to any not antispoof in" will block all IPv6 traffic to locally set up IPv6 addresses on interfaces. However, traffic coming in to the very same IPv6 address from outside (i.e. a different machine) passes without problem.

This was already described in this thread back in 2006 along with a workaround:
http://www.mail-archive.com/freebsd-questions@freebsd.org/msg127596.html

This issue should probably be mentioned in ipfw(8) if it is not fixed.
>How-To-Repeat:
Note: Addresses are anonymized.

1) Set up an interface with public IPv6 address as well as automatic link local address. E.g.
	inet6 fe80::xx:xx:xx:de48%re0 prefixlen 64 scopeid 0x1 
	inet6 2a02:180:xx:xx:xx:xx:de48:0 prefixlen 64

2) Set up following IPFW2 rules
ipfw flush
ipfw add deny ip from any to any not antispoof in
ipfw add allow ip from any to any

3) Set up some service on IPv6, e.g. HTTP:
netstat -f inet6 -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address       (state)
..
tcp46      0      0 *.http                 *.*                    LISTEN
..

4) Try to connect to local http server via public IPv6 address (blocked, times out)
wget 'http://[2a02:xx:xx:xx:xx:xx:de48:0]'
--2010-07-16 20:04:39--  http://[2a02:xx:xx:xx:xx:xx:de48:0]/
Verbindungsaufbau zu 2a02:xx:xx:xx:xx:xx:de48:0:80... fehlgeschlagen: Operation timed out.
Erneuter Versuch.
..

>Fix:
If not a solution, at least a workaround is possible by restricting antispoof rules to IPv4 where they work just fine:

1) Set up modified IPFW2 rules:
ipfw flush
ipfw add deny ip4 from any to any not antispoof in
ipfw add allow ip from any to any

2) Try to connect to local http server via public IPv6 address (works as expected)
wget 'http://[2a02:xx:xx:xx:xx:xx:de48:0]'
--2010-07-16 19:52:45--  http://[2a02:xx:xx:xx:xx:xx:de48:0]/
Verbindungsaufbau zu 2a02:xx:xx:xx:xx:xx:de48:0:80... verbunden.
HTTP Anforderung gesendet, warte auf Antwort... 200 OK
Länge: nicht spezifiziert [text/html]
In »»index.html«« speichern.

    [ <=>                                   ] 3.128       --.-K/s   in 0s      

2010-07-16 19:52:45 (22,2 MB/s) - »»index.html«« gespeichert [3128]



>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list