From owner-freebsd-security@freebsd.org Sat Nov 14 16:58:56 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1B2FA2EEC26 for ; Sat, 14 Nov 2020 16:58:56 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CYM4H0VLDz3Pcp for ; Sat, 14 Nov 2020 16:58:54 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by mail-il1-x129.google.com with SMTP id y9so11355836ilb.0 for ; Sat, 14 Nov 2020 08:58:54 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:mime-version:disposition-notification-to :from:date:content-transfer-encoding:message-id:to; bh=sBdeNh386RCRl6vWeWBJ9ES1ywQx1ScsFA8VwmZbdGY=; b=kn3EtbCoUOsKMStMnKPGN5MejKVRyblJiSHDQMtNhOiFNwOqdODcSBBUqJ75NLQ0m9 bwUrDcVTx+6Lz+iZdKIDHWHFqw489mw3H1IDwZEbbMCmzyIYQfCQEp7uvwl6+He6cTRF aWQbYcBOboA0go7yrOjo5ksaIOCDwMR8KBCG5/etwhhVuE/Yi43TnRMOkd7Z0Jyy1F42 b5ob9B5tnmYYmy/PiIk2u8WGZJbU+WF3kuc7FESbXy3xW9THJy8+1mWfqXq87fY24uAv brjCMrpK4aqwLN2rgxwI7s3qhquQQGSN7MNT6MqwK+IE5UHijC8ulU76ac7h+TxmQj4F I8Lw== X-Gm-Message-State: AOAM53004iS01rYAfWxDR+VX4hEsIFgod35ixnklf6YyQL89YeWKhWxS ru1NOspHT6gqFuFJXhJNyLgU99is2DCaug== X-Google-Smtp-Source: ABdhPJwnwEkZ9ZFDCOx1WVfVVqT2ewY7Y2qmntB9jDpYzQX+MjYRQ4dhFJOFJYRhRamoP3zwBxfMcA== X-Received: by 2002:a92:c7ae:: with SMTP id f14mr3763820ilk.202.1605373133251; Sat, 14 Nov 2020 08:58:53 -0800 (PST) Received: from 2603-6000-ca46-b9ed-082f-fd03-6baa-3d70.res6.spectrum.com (2603-6000-ca46-b9ed-082f-fd03-6baa-3d70.res6.spectrum.com. [2603:6000:ca46:b9ed:82f:fd03:6baa:3d70]) by smtp.gmail.com with ESMTPSA id l18sm6448154ioc.31.2020.11.14.08.58.52 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 14 Nov 2020 08:58:52 -0800 (PST) Content-Type: text/plain; charset=utf-8 Subject: pf/pfctl loading CIDR tables & IPv6 Mime-Version: REDACTED From: "J. Hellenthal" X-Priority: 1 X-Mailer: REDACTED Date: Sat, 14 Nov 2020 10:58:51 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: To: freebsd-security@freebsd.org X-Rspamd-Queue-Id: 4CYM4H0VLDz3Pcp X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.49 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; XM_UA_NO_VERSION(0.01)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[dataix.net:+]; DMARC_POLICY_ALLOW(-0.50)[dataix.net,reject]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::129:from]; HAS_X_PRIO_ONE(0.00)[1]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[dataix.net:s=net]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::129:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::129:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Nov 2020 16:58:56 -0000 Hello List! Hoping someone might be able to shed some light on this and get to a = conclusion faster than I have time for right now. But while loading a CIDR formatted list with =E2=80=98#=E2=80=99 = comments from [1] I am getting the following error for multiple entries = >10 and results in the only the partial list being loaded into the = table=E2=80=A6 The settings to download the file[2] are from the Russian = Federation, IPv6 and in CIDR format. =E2=80=9C (pfctl -v -t blacklist -T add -f [=E2=80=A6] No ALTQ support in kernel ALTQ related functions disabled no IP address found for 2001:BB6:6A10:4200:58D7:5934:7 pfctl: cannot load Downloads/cidr-3ffe1c0826f41fbdced334355b66202c.txt: = Undefined error: 0 " This happens both on FreeBSD 12-STABLE r367639 and the latest macOS Big = Sur 1. https://www.ip2location.com/free/visitor-blocker 2. = https://www.dropbox.com/s/8efctv56j6ocrbv/Screen%20Shot%202020-11-14%20at%= 2010.52.07.png?dl=3D0 Appreciate any feedback on this and willing to test any patches to = resolve this situation. Thank you --=20 J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven = says a lot about anticipated traffic volume. From owner-freebsd-security@freebsd.org Sat Nov 14 17:39:09 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 254A52EFE00 for ; Sat, 14 Nov 2020 17:39:09 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CYMyh1d8Wz3hqs for ; Sat, 14 Nov 2020 17:39:07 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by mail-il1-x133.google.com with SMTP id k1so11393046ilc.10 for ; Sat, 14 Nov 2020 09:39:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:mime-version:disposition-notification-to :from:in-reply-to:date:content-transfer-encoding:message-id :references:to; bh=nLB8MpiBLBFSMAhvfgft/cTqlpxoeByXgFg1/MRKR8E=; b=o/TGkhs7FLbCYNrcUYvTLgRkNn81ruc0KveZMQByk9xLqHoZEtSKcADSFUE4WObg6G DfHFDH1Y++JAagobRjB2cFMueoSsOoxFp4hv7+0ut6nq3JuMuKXUZ2TWfjkXUB2/YMDU RxbBMiPRFMGVTt8TqXaZZPn/lDgVLnwV1GevMU4/4OZMEacknyE6Rg9gpOw0Kpfjt1kk goicJC88azKycIT7m+7krTIdTArVD3XLN9czFppTkuZRD5ygdZZ0JQQrAez5XrVTz8Ac bHuTWBFuNOXMviyeALt9yCJ2KJ43UdRdvyLybHtzL6krATB1DhElQbGrxWIOPkxAwvyj zZQw== X-Gm-Message-State: AOAM532FwZMzA8uq9pHRYAuH+GsiR7J8g/V/0ftYv46f7Oui6UFqaBsz 88Hxvsd3OHoyGuk8aLIJivnZ0fCyYMcQWg== X-Google-Smtp-Source: ABdhPJwRjtMq+8o6U0seVKBgN4Euk6gVbAEEdKPlJn1Q4qa3W8gxcE5oCu64setJpUKHT3UtJZJTxQ== X-Received: by 2002:a92:520b:: with SMTP id g11mr1566694ilb.14.1605375546087; Sat, 14 Nov 2020 09:39:06 -0800 (PST) Received: from 2603-6000-ca46-b9ed-082f-fd03-6baa-3d70.res6.spectrum.com (2603-6000-ca46-b9ed-082f-fd03-6baa-3d70.res6.spectrum.com. [2603:6000:ca46:b9ed:82f:fd03:6baa:3d70]) by smtp.gmail.com with ESMTPSA id 10sm6981968ill.75.2020.11.14.09.39.04 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 14 Nov 2020 09:39:05 -0800 (PST) Subject: Re: pf/pfctl loading CIDR tables & IPv6 Mime-Version: REDACTED Content-Type: text/plain; charset=utf-8 From: "J. Hellenthal" X-Priority: 1 X-Mailer: REDACTED In-Reply-To: Date: Sat, 14 Nov 2020 11:39:04 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: freebsd-security@freebsd.org X-Rspamd-Queue-Id: 4CYMyh1d8Wz3hqs X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.49 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; XM_UA_NO_VERSION(0.01)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[dataix.net:+]; DMARC_POLICY_ALLOW(-0.50)[dataix.net,reject]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::133:from]; HAS_X_PRIO_ONE(0.00)[1]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[dataix.net:s=net]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::133:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::133:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Nov 2020 17:39:09 -0000 I should also note here that after modifying the file and removing the = offending information there was also another error where =E2=80=9C/=E2=80=9C= character was being tested and failed for IPv6 but I do not have that = error available ATM. > On Nov 14, 2020, at 10:58, J. Hellenthal = wrote: >=20 > Hello List! >=20 > Hoping someone might be able to shed some light on this and get to a = conclusion faster than I have time for right now. >=20 >=20 > But while loading a CIDR formatted list with =E2=80=98#=E2=80=99 = comments from [1] I am getting the following error for multiple entries = >10 and results in the only the partial list being loaded into the = table=E2=80=A6 The settings to download the file[2] are from the Russian = Federation, IPv6 and in CIDR format. >=20 > =E2=80=9C (pfctl -v -t blacklist -T add -f [=E2=80=A6] > No ALTQ support in kernel > ALTQ related functions disabled > no IP address found for 2001:BB6:6A10:4200:58D7:5934:7 > pfctl: cannot load = Downloads/cidr-3ffe1c0826f41fbdced334355b66202c.txt: Undefined error: 0 > " >=20 > This happens both on FreeBSD 12-STABLE r367639 and the latest macOS = Big Sur >=20 > 1. https://www.ip2location.com/free/visitor-blocker > 2. = https://www.dropbox.com/s/8efctv56j6ocrbv/Screen%20Shot%202020-11-14%20at%= 2010.52.07.png?dl=3D0 >=20 >=20 > Appreciate any feedback on this and willing to test any patches to = resolve this situation. >=20 >=20 > Thank you >=20 > --=20 >=20 > J. Hellenthal >=20 > The fact that there's a highway to Hell but only a stairway to Heaven = says a lot about anticipated traffic volume. >=20 >=20 >=20 >=20 >=20 >=20 --=20 J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven = says a lot about anticipated traffic volume. From owner-freebsd-security@freebsd.org Sat Nov 14 18:39:18 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E433A461D5B for ; Sat, 14 Nov 2020 18:39:18 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CYPJ54lRhz3md8 for ; Sat, 14 Nov 2020 18:39:17 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 0AEId8f3002215 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 14 Nov 2020 10:39:08 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 0AEId8H2002214; Sat, 14 Nov 2020 10:39:08 -0800 (PST) (envelope-from jmg) Date: Sat, 14 Nov 2020 10:39:08 -0800 From: John-Mark Gurney To: "J. Hellenthal" Cc: freebsd-security@freebsd.org Subject: Re: pf/pfctl loading CIDR tables & IPv6 Message-ID: <20201114183908.GL31099@funkthat.com> Mail-Followup-To: "J. Hellenthal" , freebsd-security@freebsd.org References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sat, 14 Nov 2020 10:39:09 -0800 (PST) X-Rspamd-Queue-Id: 4CYPJ54lRhz3md8 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [-1.80 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[funkthat.com]; RBL_DBL_DONT_QUERY_IPS(0.00)[208.87.223.18:from]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[208.87.223.18:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; MAILMAN_DEST(0.00)[freebsd-security]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Nov 2020 18:39:18 -0000 J. Hellenthal via freebsd-security wrote this message on Sat, Nov 14, 2020 at 10:58 -0600: > Hoping someone might be able to shed some light on this and get to a conclusion faster than I have time for right now. > > > But while loading a CIDR formatted list with ???#??? comments from [1] I am getting the following error for multiple entries >10 and results in the only the partial list being loaded into the table??? The settings to download the file[2] are from the Russian Federation, IPv6 and in CIDR format. > > ??? (pfctl -v -t blacklist -T add -f [???] > No ALTQ support in kernel > ALTQ related functions disabled > no IP address found for 2001:BB6:6A10:4200:58D7:5934:7 Well, this isn't a valid ipv6 address. There are only 7 segments, where as an ipv6 address needs 8. There is not a :: to fill out the missing segment. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Sat Nov 14 18:49:19 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D1CBB4623FC for ; Sat, 14 Nov 2020 18:49:19 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CYPWf3Qwmz3myH for ; Sat, 14 Nov 2020 18:49:15 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by mail-il1-x135.google.com with SMTP id x13so1037945ilp.4 for ; Sat, 14 Nov 2020 10:49:15 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=VcTqQewzrsj53fFlgEdZH2axGtKO0mWDQTah4TSJXFA=; b=lZ5B2xROV2Skxeat9a3QiJrfQeCYYpHYjnIXd/mKNApvKf2Jn1+8hW+66GWM7lkQDY k6grwDSfdlXbkzM8us6XxSWjVck9NkhcCnbmWXxa/yQVz73lM3wqUX2egBFyDrbR6kNb dFpW6rGLea0vcOyYr1uqDfmB1cxa5F1Elr7azTLW5doyI6jm+X6mXNyqZ4lIqitF72b4 GbwiGMCYCk4/UxeEo7iv0UEJ/VE5UjxzetU4PYXe7JVVdqRiGKbSdAU9tkqWJmEycolk epnLnrI5tMq5eLxUOPOzGdDHrnicKRb4HCFxHWgnDUQMSrsQ/+zOLfTeojqqnf/2jrY+ Zfnw== X-Gm-Message-State: AOAM531DtFKVyJy+qgd7iT8M1lS656YOrUdglAGi376kTSoeLx7+RFDl H9q/ICKEXbrlMu5tsjFC/gsBJSYNyLt/aw== X-Google-Smtp-Source: ABdhPJzRuFA91BXvPCfsxKXwYBtVOIAu4RLuEb5ShM5loloibGVBmorBjLBJhyiVpFHp2eDHSOJ7Ww== X-Received: by 2002:a92:d4cb:: with SMTP id o11mr3777606ilm.163.1605379753842; Sat, 14 Nov 2020 10:49:13 -0800 (PST) Received: from ?IPv6:2603:6000:ca46:b9ed:bcc3:649f:dfdf:b017? (2603-6000-ca46-b9ed-bcc3-649f-dfdf-b017.res6.spectrum.com. [2603:6000:ca46:b9ed:bcc3:649f:dfdf:b017]) by smtp.gmail.com with ESMTPSA id y6sm4652981iob.48.2020.11.14.10.49.12 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 14 Nov 2020 10:49:13 -0800 (PST) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: "J. Hellenthal" Mime-Version: 1.0 (1.0) Subject: Re: pf/pfctl loading CIDR tables & IPv6 Date: Sat, 14 Nov 2020 12:49:12 -0600 Message-Id: References: <20201114183908.GL31099@funkthat.com> Cc: FreeBSD-security@freebsd.org In-Reply-To: <20201114183908.GL31099@funkthat.com> To: John-Mark Gurney X-Mailer: iPhone Mail (18B92) X-Rspamd-Queue-Id: 4CYPWf3Qwmz3myH X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[dataix.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[dataix.net,reject]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::135:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[dataix.net:s=net]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::135:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::135:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[FreeBSD-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Nov 2020 18:49:19 -0000 Well shoot! I don=E2=80=99t even think about going down that rabbit hole. Th= ank you.=20 Wondering if it be more useful tho to skip past those formatting errors to c= ontinue reading the rest of the list instead of just discarding the results a= nd not loading the remainder. I=E2=80=99ll be in touch with ip2locatiin as well --=20 J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a= lot about anticipated traffic volume. > On Nov 14, 2020, at 12:39, John-Mark Gurney wrote: >=20 > =EF=BB=BFJ. Hellenthal via freebsd-security wrote this message on Sat, Nov= 14, 2020 at 10:58 -0600: >> Hoping someone might be able to shed some light on this and get to a conc= lusion faster than I have time for right now. >>=20 >>=20 >> But while loading a CIDR formatted list with ???#??? comments from [1] I a= m getting the following error for multiple entries >10 and results in the on= ly the partial list being loaded into the table??? The settings to download t= he file[2] are from the Russian Federation, IPv6 and in CIDR format. >>=20 >> ??? (pfctl -v -t blacklist -T add -f [???] >> No ALTQ support in kernel >> ALTQ related functions disabled >> no IP address found for 2001:BB6:6A10:4200:58D7:5934:7 >=20 > Well, this isn't a valid ipv6 address. There are only 7 segments, > where as an ipv6 address needs 8. There is not a :: to fill out the > missing segment. >=20 > --=20 > John-Mark Gurney Voice: +1 415 225 5579 >=20 > "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Sat Nov 14 18:59:21 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E323B462A35 for ; Sat, 14 Nov 2020 18:59:21 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CYPlF1h6mz3ndK for ; Sat, 14 Nov 2020 18:59:20 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 0AEIxIWW002851 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 14 Nov 2020 10:59:18 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 0AEIxHPf002850; Sat, 14 Nov 2020 10:59:17 -0800 (PST) (envelope-from jmg) Date: Sat, 14 Nov 2020 10:59:17 -0800 From: John-Mark Gurney To: "J. Hellenthal" Cc: FreeBSD-security@freebsd.org Subject: Re: pf/pfctl loading CIDR tables & IPv6 Message-ID: <20201114185917.GN31099@funkthat.com> Mail-Followup-To: "J. Hellenthal" , FreeBSD-security@freebsd.org References: <20201114183908.GL31099@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sat, 14 Nov 2020 10:59:18 -0800 (PST) X-Rspamd-Queue-Id: 4CYPlF1h6mz3ndK X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [-1.80 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[funkthat.com]; RBL_DBL_DONT_QUERY_IPS(0.00)[208.87.223.18:from]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[208.87.223.18:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-0.999]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; MAILMAN_DEST(0.00)[FreeBSD-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Nov 2020 18:59:21 -0000 J. Hellenthal wrote this message on Sat, Nov 14, 2020 at 12:49 -0600: > Well shoot! I don???t even think about going down that rabbit hole. Thank you. > >> no IP address found for 2001:BB6:6A10:4200:58D7:5934:7 The `no IP address found for` triggered my, it's trying to do a name lookup thought process, but that'd only happen if it wasn't a valid address.. > Wondering if it be more useful tho to skip past those formatting errors to continue reading the rest of the list instead of just discarding the results and not loading the remainder. Don't have a strong opinion on this... > I???ll be in touch with ip2locatiin as well > > -- > J. Hellenthal > > The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume. > > > On Nov 14, 2020, at 12:39, John-Mark Gurney wrote: > > > > ???J. Hellenthal via freebsd-security wrote this message on Sat, Nov 14, 2020 at 10:58 -0600: > >> Hoping someone might be able to shed some light on this and get to a conclusion faster than I have time for right now. > >> > >> > >> But while loading a CIDR formatted list with ???#??? comments from [1] I am getting the following error for multiple entries >10 and results in the only the partial list being loaded into the table??? The settings to download the file[2] are from the Russian Federation, IPv6 and in CIDR format. > >> > >> ??? (pfctl -v -t blacklist -T add -f [???] > >> No ALTQ support in kernel > >> ALTQ related functions disabled > >> no IP address found for 2001:BB6:6A10:4200:58D7:5934:7 > > > > Well, this isn't a valid ipv6 address. There are only 7 segments, > > where as an ipv6 address needs 8. There is not a :: to fill out the > > missing segment. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."