pf loosing (v6) TCP states much too early, "no-route" not working with IPv6
Harald Schmalzbauer
h.schmalzbauer at omnilan.de
Fri May 31 13:44:10 UTC 2013
Hello,
my default pf config blocks everything and allowes specific connections.
One of them is "in from x to self port ssh" which expands to "port ssh
keep state flags S/SA" by default.
After ssh login, I see the corresponding entry in the states table:
all tcp 2001:db8:f0bb:1::1[22] <- 2001:db8:f0bb:1::3:1[42730]
ESTABLISHED:ESTABLISHED
pfctl -s info claims:
TIMEOUTS:
...
tcp.established 86400s
...
After a couple of hours of inactivity, the ssh session silently stalls.
Here's what I have in the log:
rule 3/0(match): block in on rl1: 2001:db8:f0bb:1::3:1.42730 >
2001:db8:f0bb:1::1.22: Flags [P.], ack 1444009640, win 65535, length 48
The rule evaluation by itself is correct, it's no TCP-SYN, so it get's
blocked, but this packet should not get through the ruleset at all, at
least not before 86400s of idle connection. In my case, it was after ~3
hours. And ports numbers are exactly the same as in the state table
entry from some hours before. So the state table entry seems to got lost!
My question:
Is such a problem known?
Did I miss enything else?
System runs 8.1-STABLE/x86
Another issue was that "no-route" doesn't work for IPv6 connections. I
had to replace it with "any".
Thansk for any hints in advance,
-Harry
P.S.: It's an embedded box where upgrading is overdue, but not that easy...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20130531/caa16dd7/attachment.sig>
More information about the freebsd-stable
mailing list