kern/127920: [pf] ipv6 and synproxy don't play well together
Petko Bordjukov
bordjukov at gmail.com
Sun Jan 18 12:00:05 PST 2009
The following reply was made to PR kern/127920; it has been noted by GNATS.
From: Petko Bordjukov <bordjukov at gmail.com>
To: bug-followup at FreeBSD.org, hlh at restart.be
Cc:
Subject: Re: kern/127920: [pf] ipv6 and synproxy don't play well together
Date: Sun, 18 Jan 2009 21:29:56 +0200
I am having the same problem.
FreeBSD router.supranet.eu 7.1-RELEASE-p2 FreeBSD 7.1-RELEASE-p2 #2: Wed
Jan 14 15:58:07 EET 2009
root at router.xxx.yyy:/var/src/sys/i386/compile/H5A8S i386
pf.conf:
> ...
>
> # Settings
>
> set block-policy drop
> set skip on lo0
>
> ## TRAFFIC NORMALIZATION
> scrub in on $ext_if all fragment reassemble
> scrub out on $ext_if all fragment reassemble random-id no-df
> scrub in on $tunnel_if all fragment reassemble
> scrub out on $tunnel_if all fragment reassemble random-id no-df
>
> # Queueing
>
> # Translation
> <NAT settings here>
>
> # Filtering
>
> # activate spoofing protection for all interfaces
> # block in log quick from urpf-failed
> antispoof log quick for $loopback_if label "Antispoof for $if interface."
> antispoof log quick for $int_if label "Antispoof for $if interface."
>
> # default rule
> block log all label "Block all."
> block in on $ext_if proto { tcp udp } from any to any port { 137, 138, 139, 445 } label "Block netbios broadcasts and don't log."
>
> pass out from self to any modulate state label "Permit outgoing traffic from the firewall."
> pass out on !$int_if from $localnet6 to any modulate state label "Permit outgoing traffic from the local v6 net."
> pass inet proto icmp all icmp-type { 0, 3, 4, 11 } keep state label "Permit safe ICMP."
> # http://www.freebsd.org/cgi/man.cgi?query=icmp6
> pass inet6 proto icmp6 all icmp6-type { 1,2,3,4 } keep state label "Permit safe ICMPv6."
> pass in on $tunnel_if inet6 proto icmp6 from $tun_endpoint icmp6-type {128,135,136} keep state label "Permit IPv6 ping, neighbor solic., advert. from endpoint."
>
>
> # Allow access to services
> pass in inet proto tcp from any to $pub_ips port $tcp_services synproxy state label "Access to $dstaddr $proto/$dstport."
>
>
>
> #### Trouble comes from this rule
> pass in inet6 proto tcp from any to $pub_ips port $tcp_services synproxy state label "Access to $dstaddr $proto/$dstport."
>
>
>
>
> pass in proto udp from any to $pub_ips port $udp_services keep state label "Access to $dstaddr $proto/$dstport."
> pass in on $ext_if inet proto {tcp udp} from any to $localnet port $connectable synproxy state label "Allow incoming connections -> mapped $proto ports on $if."
>
> # trusted IPs
> pass from <trusted_ips> to any keep state label "Grant access to trusted IPs."
>
> # trust local network
> pass in on $int_if all modulate state label "Permit incoming traffic from the Local network."
> pass out on $int_if proto {tcp, udp} from any to $localnet4 port $connectable modulate state label "Allow connections to mapped ports to reach LAN destinations."
> pass proto tcp from any to $localnet6 port $client_tcp_services modulate state label "Allow IPv6 access to/from the ($proto) client services."
> pass proto { tcp, udp } from any to $localnet6 port $connectable modulate state label "Allow IPv6 access to/from the connectable ($proto) ports."
--
- Petko
More information about the freebsd-pf
mailing list