Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 7 Oct 2008 12:51:13 GMT
From:      Henri Hennebert <hlh@restart.be>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/127920: pf : ipv6 and synproxy don't play well together
Message-ID:  <200810071251.m97CpDAu032730@www.freebsd.org>
Resent-Message-ID: <200810071300.m97D09UJ098681@freefall.freebsd.org>
index | next in thread | raw e-mail 


>Number:         127920
>Category:       kern
>Synopsis:       pf : ipv6 and synproxy don't play well together
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 07 13:00:09 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Henri Hennebert
>Release:        FreeBSD 7.1-PRERELEASE
>Organization:
>Environment:
FreeBSD morzine.restart.bel 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Sat Oct  4 17:19:46 CEST 2008     root@morzine.restart.bel:/usr/obj/usr/src/sys/MORZINE  i386

>Description:
My pf.conf:

---begin---
net_if="em0"

set block-policy drop
set debug misc
set loginterface $net_if
set state-policy if-bound

scrub in all

block in  log all
block out log all

set skip on lo0

antispoof quick for $net_if inet

pass out quick on $net_if proto { tcp, udp, icmp, icmp6 } all keep state
pass  in quick on $net_if proto udp from any to ($net_if) port domain
pass     quick inet proto icmp all icmp-type echoreq keep state
pass  in quick inet proto icmp all icmp-type unreach code needfrag
pass  in quick inet6 proto icmp6 all

pass  in quick on $net_if       proto tcp from any to ($net_if) port ssh\
 flags S/SA synproxy state (source-track rule, max-src-conn-rate 1/5,\
 overload <bad_hosts> flush)

pass     quick on $net_if    proto ipv6
pass     quick on $net_if    inet6
--- end ---

Note the last rule which allow any IPv6 traffic!

If I `ssh -4` to this box, the connection succeed.
If I `ssh -6` to this box, I get a timeout and the last rule is of no use.

If I comment out the rule with synproxy, `ssh -6` succeed - the last rule allow it.

If I replace `synproxy state` with `keep state` everything is as expected.

Henri


>How-To-Repeat:
see above.
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:
help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810071251.m97CpDAu032730>