(long) antispoof for inet6 before inet6 addr assignment
Michael W. Oliver
michael at gargantuan.com
Sat Apr 22 05:05:47 UTC 2006
Hi folks,
I am using FreeBSD (semi)-CURRENT, here is my uname:
FreeBSD gambit.gargantuan.com 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Wed
Mar 15 12:56:49 EST 2006
mwoliver at gambit.gargantuan.com:/usr/obj/usr/src/sys/GAMBIT i386
I have the following lines (among others) in my pf.conf file:
...
antispoof quick for $int_if inet
antispoof quick for $int_if inet6
antispoof quick for $ext_if inet
antispoof quick for $ext_if inet6
...
After adding these rules, I rebooted my PC and upon boot the pf rules
were not loaded, and here is why (from dmesg -a):
-----8<-----
Starting wpa_supplicant.
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPACK from 10.0.0.7
bound to 10.0.0.27 -- renewal in 43200 seconds.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::20f:eaff:fe60:3337%ath0 prefixlen 64 scopeid 0x1
inet 10.0.0.27 netmask 0xffffff00 broadcast 10.0.0.255
ether 00:0f:ea:60:33:37
media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps)
status: associated
ssid ******* channel 5 bssid 00:13:10:e3:3a:78
authmode WPA privacy ON deftxkey UNDEF TKIP 3:128-bit txpowmax
51
protmode CTS burst roaming MANUAL bintval 100
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=18<VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::290:f5ff:fe32:359f%re0 prefixlen 64 tentative
scopeid 0x3
inet 172.31.1.1 netmask 0xffffff00 broadcast 172.31.1.255
ether 00:90:f5:32:35:9f
media: Ethernet autoselect (none)
status: no carrier
Starting pflog.
Apr 21 19:08:16 pflogd[294]: [priv]: msg PRIV_OPEN_LOG received
Enabling pf.
/etc/pf.conf:90:
rule expands to no valid combination
/etc/pf.conf:92:
rule expands to no valid combination
pfctl:
Syntax error in config file: pf rules not loaded
pf enabled
Additional routing options:
.
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
net.inet6.ip6.forwarding:
0
->
0
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::20f:eaff:fe60:3337%ath0 prefixlen 64 scopeid 0x1
inet6 2001:4830:2502:8001::a00:1b prefixlen 64 tentative
fwe0: flags=108802<BROADCAST,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
options=8<VLAN_MTU>
ch 1 dma -1
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=18<VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::290:f5ff:fe32:359f%re0 prefixlen 64 tentative
scopeid 0x3
inet6 2001:4830:2502:8080::ac1f:101 prefixlen 64 tentative
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
pfsync0: flags=0<> mtu 2020
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net default: gateway 2001:4830:2502:8001::1
IPv4 mapped IPv6 address support=NO
Starting devd.
.............. etc.
-----8<-----
Now, I am no expert, but it looks like the link-local address isn't
enough to satisfy pf so that it will load the rules, because I saw the
same "rule expands to no valid combination" error when testing this
config before having a non-link-local addr assigned to re0. It looks
like pf is being started after the inet config, but before the inet6
config, and since there are no non-link-local addrs assigned yet, pf is
failing to load the pf.conf rules.
Is this a simple order-of-operation bug, or am I doing something wrong.
Just so you know, this isn't a live firewall yet, just a simple setup I
am doing on my laptop to become familiar with pf enough to (maybe) move
away from IPFW2.
Here is some more (maybe relevant) info:
pf.conf:
--------------------
$ cat /etc/pf.conf | egrep -v '(^#|^$)'
ext_if="ath0" # replace with actual external interface name i.e., dc0
int_if="re0" # replace with actual internal interface name i.e., dc1
internal_net="172.31.1.1/24"
external_addr="10.0.0.27"
table <lak_nets> { 10.0.0.0/24, 172.16.0.0/24 }
table <jax_nets> { 192.168.0.0/24, 192.168.1.0/24 }
table <firewall> const { self }
set skip on lo0
scrub in on $ext_if all no-df fragment reassemble
nat on $ext_if from $internal_net to any -> ($ext_if)
rdr on $ext_if proto tcp from any to $external_addr/32 port 2222 -> 172.16.31.2 port 22
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
block all
block in log all
antispoof quick for $int_if inet
antispoof quick for $int_if inet6
antispoof quick for $ext_if inet
antispoof quick for $ext_if inet6
pass in on $ext_if proto tcp from any to $ext_if port 22 flags S/SA modulate state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $ext_if proto { ipv6, ipv6-route, ipv6-frag, ipv6-icmp, ipv6-nonxt, ipv6-opts, esp } all keep state
pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
pass in on $ext_if proto { ipv6-icmp } from any keep state
pass in log on $ext_if proto tcp from any to ! <firewall> \
port ssh flags S/SA synproxy state
/etc/rc.conf:
--------------------------
$ egrep '(ath0|re0|pf)' /etc/rc.conf | grep -v ^#
ifconfig_re0="inet 172.31.1.1/24"
ifconfig_ath0="WPA DHCP"
ipv6_ifconfig_ath0="2001:4830:2502:8001::a00:1b/64"
ipv6_ifconfig_re0="2001:4830:2502:8080::ac1f:101/64"
pf_enable="YES"
pflog_enable="YES"
Thanks for your help, have a good day!
--
Mike Oliver, KI4OFU
[see complete headers for contact information]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20060422/16317ce4/attachment.pgp
More information about the freebsd-pf
mailing list