[Bug 233581] Bugg in PF or in PF man-page?

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Dec 4 21:32:22 UTC 2018 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233581

--- Comment #10 from peos42 <peo_s at incedo.org> ---
Have not tested on head. Is something fixed regarding this?


Config posted below as requested. Note that IPv4 and IPv6 addresses are
substituted to fake. 


#######################
### FROM MAIN HOST ####
#######################
22:09:30 huey:~ # ifconfig -a
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       
options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:16:3c:7f:67:0e
        hwaddr 00:16:3c:7f:67:0e
        inet 1.2.3.4 netmask 0xffffff00 broadcast 1.2.3.255 
        inet6 fe80::216:3cff:fe7f:670e%vtnet0 prefixlen 64 scopeid 0x1 
        inet6 2222:3333:6:6df::1111 prefixlen 48 
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128 
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
        inet 127.0.0.1 netmask 0xff000000 
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo 
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
        groups: pflog 
22:09:32 huey:~ # 


Note that the PF below will be rebuilt from scratch with variables and tagging
etc. But for this case it doesn't matter....

22:10:21 huey:~ # more /etc/pf.conf |grep -v ^#|sed '/^$/d'
set skip on lo0
block all
pass out quick on { lo0 vtnet0 } inet proto {tcp gre esp udp icmp ipv6} all
keep state
pass out quick on { lo0 vtnet0 } inet6  proto {tcp gre esp udp icmp6} all keep
state
pass out quick on { lo0 vtnet0 } inet6 all keep state
antispoof quick for vtnet0
pass in log quick on vtnet0 inet proto icmp from any to vtnet0 icmp-type { 8
code 0 , 3 code 3 , 11 code 0  } keep state
pass in quick on vtnet0 inet6 proto { ipv6-icmp } from any to any keep state
block in log quick on vtnet0 proto tcp from <bad_hosts_SSH_MAIN_HOST> to 
vtnet0 port { 22 }
pass in log quick on vtnet0 inet proto tcp  from any to vtnet0 port { 22 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_MAIN_HOST>
flush global)
pass in log quick on vtnet0 inet6 proto tcp  from any to vtnet0 port { 22 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_MAIN_HOST>
flush global)
block in log quick on vtnet0 proto tcp from <bad_hosts_SSH_DNS_HOST> to  vtnet0
port { 10022 }
pass in log quick on vtnet0 inet proto tcp  from any to vtnet0 port { 10022 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_DNS_HOST>
flush global)
pass in log quick on vtnet0 inet6 proto tcp  from any to  vtnet0 port { 10022 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_DNS_HOST>
flush global)
pass in quick on vtnet0 inet proto tcp  from any to vtnet0 port { 53 } flags
S/SAFR keep state
pass in quick on vtnet0 inet6 proto tcp  from any to  vtnet0 port { 53 } flags
S/SAFR keep state
pass in quick on vtnet0 inet proto udp  from any to vtnet0 port { 53 }  keep
state
pass in quick on vtnet0 inet6 proto udp  from any to  vtnet0  port { 53 }  keep
state
pass in quick on lo0 inet proto tcp from 1.2.3.4 to 1.2.3.4 port 953 flags
S/SAFR keep state
block in log quick on vtnet0 proto tcp from <bad_hosts_SSH_MAIL_HOST> to 
vtnet0 port { 20022 }
pass in log quick on vtnet0 inet proto tcp  from any to vtnet0 port { 20022 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_MAIL_HOST>
flush global)
pass in log quick on vtnet0 inet6 proto tcp  from any to  vtnet0 port { 20022 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_MAIL_HOST>
flush global)
pass in log quick on vtnet0 inet proto tcp  from any to vtnet0 port { 25 465
587 } flags S/SAFR keep state
pass in log quick on vtnet0 inet6 proto tcp  from any to  vtnet0 port { 25 465
587 } flags S/SAFR keep state
block in log quick on vtnet0 proto tcp from <bad_hosts_SSH_WEB_HOST> to  vtnet0
port { 30022 }
pass in log quick on vtnet0 inet proto tcp  from any to vtnet0 port { 30022 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_WEB_HOST>
flush global)
pass in log quick on vtnet0 inet6 proto tcp  from any to  vtnet0 port { 30022 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_WEB_HOST>
flush global)
pass in log quick on vtnet0 inet proto tcp  from any to vtnet0 port { 80 443 }
flags S/SAFR keep state
pass in log quick on vtnet0 inet6 proto tcp  from any to  vtnet0 port { 80 443
} flags S/SAFR keep state
22:10:24 huey:~ # 



###########################
### FROM DNS JAIL HOST ####
############################


"rndc reload" does NOT work in this jail if the following pf.conf row is
removed from the main host...

pass in quick on lo0 inet proto tcp from 1.2.3.4 to 1.2.3.4 port 953 flags
S/SAFR keep state

On OpenBSD this is not needed as "set skip on lo0" works... But all this I have
already written in earlier posts.



22:11:25 DNS:~ # ifconfig -a
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       
options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:16:3c:7f:67:0e
        hwaddr 00:16:3c:7f:67:0e
        inet 1.2.3.4 netmask 0xffffff00 broadcast 1.2.3.255 
        inet6 2222:3333:6:6df::1111 prefixlen 48 
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo 
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
        groups: pflog 
22:11:27 DNS:~ # 


22:13:24 DNS:~ # more /usr/local/etc/namedb/rndc.conf |grep default-server
        default-server 1.2.3.4;
22:13:25 DNS:~ # 

22:13:26 DNS:~ # more /usr/local/etc/namedb/named.conf |grep 953
        inet 1.2.3.4 port 953 allow { 1.2.3.4; 127.0.0.1;
2222:3333:5:6df::1111; } keys { "rndc-key"; };
22:13:31 DNS:~ #

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-pf mailing list