Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 3 Jul 2012 10:12:30 +0900 (JST)
From:      HASHI Hiroaki <hashiz@meridiani.jp>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/169620: ng_l2tp incomming packet bypass pf firewall
Message-ID:  <201207030112.q631CUY3008767@tomba.meridiani.jp>
Resent-Message-ID: <201207030150.q631o9cW043006@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         169620
>Category:       kern
>Synopsis:       ng_l2tp incomming packet bypass pf firewall
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 03 01:50:08 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     HASHI Hiroaki
>Release:        FreeBSD 8.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD tomba.meridiani.jp 8.3-STABLE FreeBSD 8.3-STABLE #33: Mon Jul 2 01:44:40 JST 2012 hashiz@stenmark.meridiani.jp:/usr/obj/usr/src/sys/TOMBA i386

l2tp daemon: net/mpd5

	
>Description:
PF firewall does not examine incomming packet on ng_l2tp interface.
ng_pppoe : examine.
ng_l2tp  : not examine.

	
>How-To-Repeat:

Setup l2tp tunnel using net/mpd5.

Connect from client.

Write block PF rule on l2tp netgraph interface.
    block in quick on ngX inet from any to any
    pass  out quick on ngX inet from any to any

PF through the packets. Block rule not evalute.
    sudo pfctl -vvs -s Interfaces -i ngX



	
>Fix:

	


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207030112.q631CUY3008767>