From owner-freebsd-net@freebsd.org Wed Jul 3 16:55:41 2019 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B35E215DA166 for ; Wed, 3 Jul 2019 16:55:41 +0000 (UTC) (envelope-from srick@gefjun.hzn.srick.org) Received: from gefjun.hzn.srick.org (ipv6.hzn.srick.org [IPv6:2a01:4f8:221:181::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gefjun.srick.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F2471848AA for ; Wed, 3 Jul 2019 16:55:38 +0000 (UTC) (envelope-from srick@gefjun.hzn.srick.org) Received: from gefjun.hzn.srick.org (localhost [127.0.0.1]) by gefjun.hzn.srick.org (8.15.2/8.15.2) with ESMTPS id x63GgVem006222 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 3 Jul 2019 17:42:31 +0100 (BST) (envelope-from srick@gefjun.hzn.srick.org) Received: (from srick@localhost) by gefjun.hzn.srick.org (8.15.2/8.15.2/Submit) id x63GgTpu006221 for freebsd-net@freebsd.org; Wed, 3 Jul 2019 17:42:29 +0100 (BST) (envelope-from srick) Date: Wed, 3 Jul 2019 17:42:29 +0100 From: Steffen Rick To: freebsd-net@freebsd.org Subject: ipfilter not creating entries in the state table Message-ID: <20190703164229.GA5930@gefjun.hzn.srick.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.12.0 (2019-05-25) X-Rspamd-Queue-Id: F2471848AA X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [2.47 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.47)[-0.465,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.25)[-0.247,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; MX_GOOD(-0.01)[gefjun.hzn.srick.org]; MX_MISSING(3.50)[requested record is not found]; DMARC_NA(0.00)[srick.org]; NEURAL_HAM_SHORT(-0.77)[-0.770,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[steffen.rick@srick.org,srick@gefjun.hzn.srick.org]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; FROM_NEQ_ENVFROM(0.00)[steffen.rick@srick.org,srick@gefjun.hzn.srick.org]; IP_SCORE(-0.74)[ipnet: 2a01:4f8::/29(-1.93), asn: 24940(-1.77), country: DE(-0.01)] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2019 16:55:41 -0000 Hi, hoping you guys can help me with this. I'm somehow unable to create an ipfilter configuration that will use stateful filtering on IPv6. What I have is a very simple ipf.rules file: ipf.rules: pass in quick on lo0 all pass out quick on lo0 all pass out quick on re0 all keep state pass in quick on re0 proto tcp from any to any port = 22 block in log quick on re0 all default kernel wise is to accept traffic (I do this to not log myself out when working remotely) When I lookup www.google.com over IPv4 I get an entry in the state table dig -A www.google.com @8.8.8.8 ipfstat -t Src: 0.0.0.0, Dest: 0.0.0.0, Proto: any, Sorted by: # bytes Source IP Destination IP ST PR #pkts #bytes ttl 188.40.60.69,22 80.79.143.188,47160 4/4 tcp 75 14048 119:59:59 188.40.60.96,51126 8.8.8.8,53 0/0 udp 1 83 0:03 When I try to lookup the A record on the IPv6 server I get no state table entry dig -A www.google.com @2001:4860:4860::8888 no state table entry and no response from the server tcpdump -nnn host 2001:4860:4860::8888 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on re0, link-type EN10MB (Ethernet), capture size 262144 bytes 16:48:48.588867 IP6 2a01:4f8:221:181::2.62706 > 2001:4860:4860::8888.53: 15010+ [1au] A? www.google.com. (55) 16:48:48.602580 IP6 2001:4860:4860::8888.53 > 2a01:4f8:221:181::2.62706: 15010 1/0/1 A 216.58.206.4 (59) 16:48:53.663637 IP6 2a01:4f8:221:181::2.62706 > 2001:4860:4860::8888.53: 15010+ [1au] A? www.google.com. (55) 16:48:53.668845 IP6 2001:4860:4860::8888.53 > 2a01:4f8:221:181::2.62706: 15010 1/0/1 A 216.58.206.4 (59) 16:48:58.744154 IP6 2a01:4f8:221:181::2.62706 > 2001:4860:4860::8888.53: 15010+ [1au] A? www.google.com. (55) 16:48:58.764794 IP6 2001:4860:4860::8888.53 > 2a01:4f8:221:181::2.62706: 15010 1/0/1 A 216.58.206.4 (59) ^C The request seems to have gone through just fine but my dig client times out. I change the ruleset to include pass in quick on re0 inet6 proto tcp from any port = 53 pass in quick on re0 inet6 proto udp from any port = 53 and then I'm obviously able to get a response from the server. tcpdump -nnn host 2001:4860:4860::8888 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on re0, link-type EN10MB (Ethernet), capture size 262144 bytes 16:47:36.738177 IP6 2a01:4f8:221:181::2.40852 > 2001:4860:4860::8888.53: 54683+ [1au] A? www.google.com. (55) 16:47:36.751447 IP6 2001:4860:4860::8888.53 > 2a01:4f8:221:181::2.40852: 54683 1/0/1 A 172.217.18.164 (59) ^C That obiously ignores the statefulness of the firewall. Is this a known issue? Has anyone ipfilter working with stateful rules correctly being created when making outbound requests? Any help appreciated! Thanks, Steffen