Date: Thu, 12 Nov 2009 21:10:28 GMT From: "Stephane D'Alu" <sdalu@sdalu.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/140512: pf doesn't block udp packets on multicast addresses Message-ID: <200911122110.nACLASNR069948@www.freebsd.org> Resent-Message-ID: <200911122120.nACLK1as045306@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 140512
>Category: kern
>Synopsis: pf doesn't block udp packets on multicast addresses
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Nov 12 21:20:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Stephane D'Alu
>Release: 8.0-RC2
>Organization:
>Environment:
FreeBSD incal.sdalu.com 8.0-RC2 FreeBSD 8.0-RC2 #14: Mon Nov 9 23:14:33 CET 2009 root@incal.sdalu.com:/usr/obj/usr/src/sys/INCAL amd64
>Description:
for udp firewall rule is somewhat equivalent to (full rules available on request)
set skip on lo0
scrub in all
block in log all
pass out all
pass in proto { tcp, udp } from any to net0 port domain
pass in proto udp from any to net0 port { isakmp, 4500 }
When sniffing net0 with tcpdump the following packet will show up:
ks358229.kimsufi.com.mdns > 224.0.0.251.mdns
rbx-48-m2.routers.ovh.net.1985 > ALL-ROUTERS.MCAST.NET.1985
pastel-pink.feralhosting.com.6771 > 239.192.152.143.6771
ks358206.kimsufi.com.50914 > 239.255.255.250.1900
They all seems to be using multicast addresses
(Dont know if broadcast or tcp have the same issue)
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200911122110.nACLASNR069948>