Date: Thu, 12 Nov 2009 21:10:28 GMT From: "Stephane D'Alu" <sdalu@sdalu.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/140512: pf doesn't block udp packets on multicast addresses Message-ID: <200911122110.nACLASNR069948@www.freebsd.org> Resent-Message-ID: <200911122120.nACLK1as045306@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 140512 >Category: kern >Synopsis: pf doesn't block udp packets on multicast addresses >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 12 21:20:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Stephane D'Alu >Release: 8.0-RC2 >Organization: >Environment: FreeBSD incal.sdalu.com 8.0-RC2 FreeBSD 8.0-RC2 #14: Mon Nov 9 23:14:33 CET 2009 root@incal.sdalu.com:/usr/obj/usr/src/sys/INCAL amd64 >Description: for udp firewall rule is somewhat equivalent to (full rules available on request) set skip on lo0 scrub in all block in log all pass out all pass in proto { tcp, udp } from any to net0 port domain pass in proto udp from any to net0 port { isakmp, 4500 } When sniffing net0 with tcpdump the following packet will show up: ks358229.kimsufi.com.mdns > 224.0.0.251.mdns rbx-48-m2.routers.ovh.net.1985 > ALL-ROUTERS.MCAST.NET.1985 pastel-pink.feralhosting.com.6771 > 239.192.152.143.6771 ks358206.kimsufi.com.50914 > 239.255.255.250.1900 They all seems to be using multicast addresses (Dont know if broadcast or tcp have the same issue) >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200911122110.nACLASNR069948>