From nobody Mon Oct 28 19:50:15 2024 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XckWW59JNz5bjq0 for ; Mon, 28 Oct 2024 19:50:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XckWW2z2Sz427H for ; Mon, 28 Oct 2024 19:50:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730145015; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=E9vdpYlnCzoJt2pUmbvc8h1q0O6cHmeYky74o5/T6C8=; b=qv1bzbbGZG65mxUEw4TM+ZxLRWsEFBCef2PjTigaAelWUmk0S7K7R+IF+thIvG4LhiOAks mdjfqcmiEuJczhfbpa/Z9EzLkzGbtrDnZ7ieZrC4bpAHeZfwGPMKu0zA7saJUoYojIx0if Ee+TIXl3Wi/zrqQJhr4NTdbwyFrzY2iHWyTnml840c14S1nJtOR50Jr2USfwmLBPrHvdPF jYLkH/WNJkxJj2O+KOCy2N0G84e9ZagcI8PaAaUyXNGLlWh160uYDV/+h5dtvxGA16BsU/ g7FT8oBBsocZSpu3ZKiQo8sBFZoaq824Iutygo2JjaT88bKCmwwx2bCZ2LLg6w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730145015; a=rsa-sha256; cv=none; b=XFbjheNn8oWo22qmCUhYCkvA8bnRm096L9SgowUXwx6AQCuHp7ueFomw3mOZCIbgu2TCdx AJa0ohLhJxufs7pSTxtzjC0tPiK1aDdACppxIjVoTzOrpGXXQ/uG86Eu3oo6/J9GlYoaRo YCx3PLYzxnkJsWmVHG2e7+l5aukUPzYURp54kgArueELdZBoUYwxhwRJsU8+tius10khY/ L1kqTWc+E7lU4Ix+gqQrVsmZn88qIXsumosUiKKnjyMhH7cK2yfhNAXZUdgC1cTRIueta1 sg+qChN7+t3rzyBZ66Sn+0YzmApQrlUKuso+RbussPdLLvPmg9nNtyu9hN2/KA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XckWW2SmBzsWB for ; Mon, 28 Oct 2024 19:50:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 49SJoFmC094472 for ; Mon, 28 Oct 2024 19:50:15 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 49SJoFAD094471 for pf@FreeBSD.org; Mon, 28 Oct 2024 19:50:15 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 143504] outgoing states are not killed by authpf(8) Date: Mon, 28 Oct 2024 19:50:15 +0000 X-Bugzilla-Reason: AssignedTo CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 7.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: Alexander88207@protonmail.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: short_desc cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-pf@freebsd.org Sender: owner-freebsd-pf@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D143504 Alexander Vereeken changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|[patch] outgoing states are |outgoing states are not |not killed by authpf(8) |killed by authpf(8) CC| |Alexander88207@protonmail.c | |om --=20 You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug.= From nobody Sat Nov 2 15:30:48 2024 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XghWB0L7pz5cCGf; Sat, 02 Nov 2024 15:30:14 +0000 (UTC) (envelope-from driesm@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XghW96w1sz4Cv9; Sat, 2 Nov 2024 15:30:13 +0000 (UTC) (envelope-from driesm@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730561414; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=y0dmCJBkOQIY3WU1nfWe83dVvBZq5eICve+cpes6dYY=; b=fyF/1ZWrVr10X4P9PM/vH0u+DJwcUHoofl8b0ZCohl0X7ZedH6t2iJzN2YQLJ1ncpOCqPE QBUWdnyJytB3ZhlnVZzUmsB4lv20QSSzN8ohvymKpAbr+U6OuDwg9ZkGyPK03g5sFGWHzd u5ybn5wRl/TI7sJKKedgUhqMzPOREMZCQlgmuq02vqlLwDVlwvLmVfwAoEuOtDKY9whXWy KtJn8jAKRujP9DNHC+Ekeu8aakaIhDrnTySB0pZm5rxyXV2XeouLe8TObsPT1JS5WHdaIz FOuAM6kNdkbZnoOG12duY6fBqEn8kPu51XBTfgECIGF9Ije4OWlD4mSARetb0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730561414; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=y0dmCJBkOQIY3WU1nfWe83dVvBZq5eICve+cpes6dYY=; b=uJBeSlaHFmL2Znrvodg/R7O83Nl5NkxQ7xM51HPiXiULIBCiVX6YSk/eH9FCHsS02//Gcd sKvD+X4XjAA21X/lpU0aNSk6TUn5sl7Zec6O+mDMNswWySDMS4eH5YZ+Bmk2geHPccRKcf DuCRmTu4ZWY2f7GnSlNaXPcAy4Er5RZ8ALChfws7z/iaCPhB+f+g4yIEhLj4buCz08L/sA kvloGVlELARIQX8/XC1Spbd40MMQIy+YUZ6EqjL+4FYqIcEfsu467Ien7G9Ax5R57I4ddl LkPwRRlVZaQSC6SiYwhOKdIR2pktAJ3Ce/wLKxOS1VemISN4o3ptQPfCSbX1CQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730561414; a=rsa-sha256; cv=none; b=hIVmRpzLEF0WELvr64i4FJkEcVYRQd5XR7YWuHtEyc5+JDcMpTAxnetdIpY0SRAZKkYPZb pQlem+ewXrtF5pmXHHTzIvXTybipDYdyz0RPsCuaLw/Mz5HGdsHC8Z6n8RO9T+DTItY9WC A8KBE11I8PCsX/yC9RqGpXHCSSFdkk6MDvJGIIq//bTeAybOrRDXyPTLclgL4IHHCiJCF9 XO04qYYEam51ar7DVFFLpQWLMlmHQlH5oS7fZ8SZT5ov6NN9yloxTfFb0sauvKmwrfUvAI 90Vyp6FOhapbK+QuXRdTKTi7Qv3fdTOXcUOzLVMd+EohbLtmADEI2BtLoVnicw== Received: from mail-oo1-f47.google.com (mail-oo1-f47.google.com [209.85.161.47]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) (Authenticated sender: driesm) by smtp.freebsd.org (Postfix) with ESMTPSA id 4XghW96MGQzbG1; Sat, 2 Nov 2024 15:30:13 +0000 (UTC) (envelope-from driesm@freebsd.org) Received: by mail-oo1-f47.google.com with SMTP id 006d021491bc7-5eb9ee4f14cso1314431eaf.1; Sat, 02 Nov 2024 08:30:13 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCVT6xfGizVm4/TNw1Yk/PgKe5sa/79wvWMqaJjiK2+ahiDSMUi3d9ahYlGESzHzeFX8rFTAOwp7QtK6+g==@freebsd.org, AJvYcCVZVrC/PVs8wJyhhsd/sd5uVc0Y3jRzAwZrVBG5D9ALpdFNtlt+vDxufGemqjGm49aE/Smx7YE8aaht9g==@freebsd.org X-Gm-Message-State: AOJu0YzpUqgoR4Yfl03ipzKcEiQCGq943IWkbfajOAhaNyJ6wi6w01Eg 6/oonj/SWWIzNy/rtgfZgwHTUCXM8ZM/pN+1GnKeAgF2ThYUuXY5drD8DhClt381zaCMZzSe1e8 M0ckVqDLykt3L/bIftMTJr0GRar0= X-Google-Smtp-Source: AGHT+IEHCpKmRYDMmk0KMjEFJ8yDUL+ui6NqGPQ1z2SHdtXBH6h0XQybUYkhnE4T6vHLNyK2sQ4MzS2kUA1DI/7cf7A= X-Received: by 2002:a05:6820:50c:b0:5eb:c6ba:7835 with SMTP id 006d021491bc7-5ede6186e91mr3825091eaf.0.1730561412945; Sat, 02 Nov 2024 08:30:12 -0700 (PDT) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-pf@freebsd.org Sender: owner-freebsd-pf@FreeBSD.org MIME-Version: 1.0 From: Dries Michiels Date: Sat, 2 Nov 2024 16:30:48 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: IPFW statefull firewall ruleset - some sites or applications do not work as expected To: freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org, FreeBSD Net Content-Type: multipart/alternative; boundary="00000000000047eadd0625efba9d" --00000000000047eadd0625efba9d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello, So I have a very basic ruleset, as described in the FreeBSD handbook, see below. I have "blurred" my open ports as seen in the ruleset below. Igc0 is my WAN port and in the table "trusted_if" are like my LAN if and some bridges. 00001 reass ip from any to any in 00010 allow ip from any to any via table(trustedif) 00050 deny log ip from any to any not antispoof in 00100 nat 1 ip4 from any to any in recv igc0 00500 skipto 10000 tcp from any to any out xmit igc0 setup keep-state :default 00501 skipto 10000 udp from any to any out xmit igc0 keep-state :default 05000 allow tcp from any to me *some open ports* in recv igc0 setup keep-state :default 05001 allow udp from any to me *some open ports* in recv igc0 keep-state :default 09998 deny log tcp from any to any 09999 deny log udp from any to any 10000 nat 1 ip4 from any to any out xmit igc0 65535 allow ip from any to any Now comes the tricky part. There are some applications that don't work correctly with this ruleset. For example, itsme (belgium application) to identify yourself with a lot of accounts, does not work. Recently my banking website also stopped working. So now I'm wondering how do I start to troubleshoot this issue? Are there any ceavets with this ruleset when redirects are happening for example? I'm also wondering if Belgian PF users have the same issue?=C2=A3 I'm hopeful to get to the bottom of this as its quite annoying needing to switch wifi channels to my ISP's router which does work with these applications. Regards Dries --00000000000047eadd0625efba9d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,

So I have a very basic ruleset, = as described in the FreeBSD handbook, see below. I have "blurred"= my open ports as seen in the ruleset below.
Igc0 is my WAN port = and in the table "trusted_if" are like my LAN if and some bridges= .

00001 reass ip from any to any in
00010 allow= ip from any to any via table(trustedif)
00050 deny log ip from any to a= ny not antispoof in
00100 nat 1 ip4 from any to any in recv igc0
0050= 0 skipto 10000 tcp from any to any out xmit igc0 setup keep-state :default<= br>00501 skipto 10000 udp from any to any out xmit igc0 keep-state :default=
05000 allow tcp from any to me *some open ports* in recv igc0 setup kee= p-state :default
05001 allow udp from any to me *some open ports* in rec= v igc0 keep-state :default
09998 deny log tcp from any to any
09999 d= eny log udp from any to any
10000 nat 1 ip4 from any to any out xmit igc= 0
65535 allow ip from any to any

Now comes the = tricky part. There are some applications that don't=C2=A0work correctly= with this ruleset.
For example, itsme (belgium application) to i= dentify yourself with a lot of accounts, does not=C2=A0work.
Rece= ntly my banking=C2=A0website also stopped working. So now I'm wondering= how do I start to troubleshoot=C2=A0this issue?
Are there any ce= avets=C2=A0with this ruleset when redirects are happening for example? I= 9;m also wondering if Belgian PF users have the same issue?=C2=A3

I'm hopeful=C2=A0to get to the bottom of this as its qu= ite annoying needing to switch wifi channels to my ISP's router which d= oes work with these applications.

Regards
Dries


--00000000000047eadd0625efba9d--