From owner-freebsd-pf@FreeBSD.ORG  Thu Sep 16 03:57:34 2004
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 674)
	id 5555516A4CF; Thu, 16 Sep 2004 03:57:34 +0000 (GMT)
Delivered-To: mlaier@vampire.homelinux.org
Received: (qmail 11791 invoked by uid 1005); 2 Dec 2003 17:25:02 -0000
Delivered-To: max@vampire.homelinux.org
Received: (qmail 11788 invoked from network); 2 Dec 2003 17:25:01 -0000
Received: from moutng.kundenserver.de (212.227.126.177)
  by pd9e39c3c.dip.t-dialin.net with SMTP; 2 Dec 2003 17:25:01 -0000
Received: from [212.227.126.212] (helo=mxng16.kundenserver.de)
	by moutng.kundenserver.de with esmtp (Exim 3.35 #1)
	id 1ARECn-0000ID-00
	for max@vampire.homelinux.org; Tue, 02 Dec 2003 18:20:57 +0100
Received: from [206.53.239.180] (helo=turing.freelists.org)
	by mxng16.kundenserver.de with esmtp (Exim 3.35 #1)
	id 1ARECk-0000My-00
	for max@love2party.net; Tue, 02 Dec 2003 18:20:55 +0100
Received: from turing (localhost [127.0.0.1])ESMTP
	id 450623903C6; Tue,  2 Dec 2003 12:06:23 -0500 (EST)
Received: with ECARTIS (v1.0.0; list pf4freebsd);
	Tue, 02 Dec 2003 12:06:14 -0500 (EST)
X-Original-To: pf4freebsd@freelists.org
Delivered-To: pf4freebsd@freelists.org
Received: from raven.ecs.soton.ac.uk (raven.ecs.soton.ac.uk [152.78.70.1])
	ESMTP id D49B73901D7
	for <pf4freebsd@freelists.org>; Tue,  2 Dec 2003 12:06:12 -0500 (EST)
Received: from pigeon.ecs.soton.ac.uk (ns1 [152.78.68.1])
	by raven.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id RAA01718
	for <pf4freebsd@freelists.org>; Tue, 2 Dec 2003 17:20:38 GMT
Received: from login.ecs.soton.ac.uk (IDENT:root@login [152.78.68.162])
	by pigeon.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id RAA05890
	for <pf4freebsd@freelists.org>; Tue, 2 Dec 2003 17:20:34 GMT
Received: (from ms@localhost)
	by login.ecs.soton.ac.uk (8.11.6/8.11.6) id hB2HKYn24422
	for pf4freebsd@freelists.org; Tue, 2 Dec 2003 17:20:34 GMT
From: Mike Saywell <ms@ecs.soton.ac.uk>
To: pf4freebsd@freelists.org
Message-ID: <20031202172034.GB30410@login.ecs.soton.ac.uk>
Mime-Version: 1.0
Content-type: text/plain;
  charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i
X-MailScanner-Information: Please contact helpdesk@ecs.soton.ac.uk for more
	information
X-ECS-MailScanner: Found to be clean
X-archive-position: 228
X-ecartis-version: Ecartis v1.0.0
Sender: pf4freebsd-bounce@freelists.org
Errors-To: pf4freebsd-bounce@freelists.org
X-original-sender: ms@ecs.soton.ac.uk
Precedence: normal
X-list: pf4freebsd
Content-Transfer-Encoding: quoted-printable
X-Provags-Forward: ad1e83286d02b5e55817d47b0d69ba84
X-UID: 346
X-Length: 6975
X-Mailman-Approved-At: Thu, 16 Sep 2004 04:00:27 +0000
Subject: [pf4freebsd] Statefull IPv6
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Reply-To: pf4freebsd@freelists.org
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
Date: Thu, 16 Sep 2004 03:57:34 -0000
X-Original-Date: Tue, 2 Dec 2003 17:20:34 +0000
X-List-Received-Date: Thu, 16 Sep 2004 03:57:34 -0000

Hi there,

We're using FreeBSD 5.1 + PF 2.00 (from ports) as an IPv6 firewall,
however I can't seem to make stateful filtering work with IPv6...

I am new to packetfilter so it might just be a misunderstanding on my
part though.


The setup is:

Zim--------Firewall----------Centaur
        dc1        dc2


Interfaces:

Zim:
eth0      Link encap:Ethernet  HWaddr 00:A0:24:CB:67:44 =20
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: 2001:630:d0:901::2/64 Scope:Global
          inet6 addr: fe80::2a0:24ff:fecb:6744/64 Scope:Link

Firewall:
dc1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet6 fe80::280:c8ff:fec9:9cbe%dc1 prefixlen 64 scopeid 0x2=20
	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
	inet6 2001:630:d0:901::1 prefixlen 64=20
dc2: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
	inet6 fe80::280:c8ff:fec9:9cbf%dc2 prefixlen 64 scopeid 0x3=20
	inet6 2001:630:d0:902::1 prefixlen 64=20

Centaur:
eth1      Link encap:Ethernet  HWaddr 00:50:DA:E0:C7:B2 =20
          inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: 2001:630:d0:902::2/64 Scope:Global
          inet6 addr: fe80::250:daff:fee0:c7b2/10 Scope:Link

I've added routes on zim and centaur so that they can ping each other
over both IPv4 and IPv6 when pf is disabled.

I'm trying to allow all traffic from Zim and only stateful from Centaur b=
ack in.

Here is my pf.conf:

# Define some interfaces
iam_if =3D "dc0"
one_if =3D "dc1"
two_if =3D "dc2"

# Default deny
block in  log all
block out log all

# Pass everything on iam_if since thats how I'm ssh'ed in :)
pass quick on $iam_if all

# Pass traffic on the loopback interface in either direction
pass quick on lo0 all

# Pass link local and multicast traffic
pass quick log from any to fe00::/8
pass quick log from any to ff00::/8

# Allow traffic directly to/from our interfaces
pass quick log from any to { $one_if, $two_if }

# Allow all traffic from/to/between internal ipv6 nets
pass in log on $one_if all
pass out log on $one_if all

# Allow all outbound traffic keeping state
pass out log on $two_if all keep state


IPv4 from Zim to Centaur works fine (as expected), the logs show a pass i=
n each direction:

999348 rule 12/0(match): pass in on dc1: 192.168.1.2 > 192.168.2.2: icmp:=
 echo request (DF)
000896 rule 13/0(match): pass out on dc1: 192.168.2.2 > 192.168.1.2: icmp=
: echo reply

However IPv6 pings don't....  In the log I get:

63. 384244 rule 12/0(match): pass in on dc1: 2001:630:d0:901::2 > 2001:63=
0:d0:902::2: icmp6: echo request
000531 rule 0/0(match): block in on dc2: 2001:630:d0:902::2 > 2001:630:d0=
:901::2: icmp6: echo reply

It's the same for all other traffic too, e.g. ssh:
000000 rule 12/0(match): pass in on dc1: 2001:630:d0:901::2.42559 > 2001:=
630:d0:902::2.22: [|tcp]
000617 rule 0/0(match): block in on dc2: 2001:630:d0:902::2.22 > 2001:630=
:d0:901::2.42559: [|tcp]

Also if I dump the state whilst pinging from Zim to Centaur then with
IPv4 I see:

-su-2.05b# pfctl -ss
icmp 192.168.1.2:22051 -> 192.168.2.2:22051       0:0

but when using IPv6 it's blank. :(

So it seems like "keep state" is only working with IPv4??

The full expanded ruleset is:

block drop in log all
block drop out log all
pass quick on dc0 all
pass quick on lo0 all
pass log quick inet6 from any to fe00::/8
pass log quick inet6 from any to ff00::/8
pass log quick on dc1 inet6 from any to fe80::280:c8ff:fec9:9cbe
pass log quick inet from any to 192.168.1.1
pass log quick inet6 from any to 2001:630:d0:901::1
pass log quick inet from any to 192.168.2.1
pass log quick on dc2 inet6 from any to fe80::280:c8ff:fec9:9cbf
pass log quick inet6 from any to 2001:630:d0:902::1
pass in log on dc1 all
pass out log on dc1 all
pass out log on dc2 all keep state

Does anybody have any ideas?  The setup above should be fairly easy
to re-produce...

I'll try and get an OpenBSD machine running so I can see if it's a
general pf problem or a FreeBSD specific one...

Mike