Date: Sat, 22 Apr 2006 01:05:42 -0400 From: "Michael W. Oliver" <michael@gargantuan.com> To: pf@freebsd.org Subject: (long) antispoof for inet6 before inet6 addr assignment Message-ID: <20060422050542.GG44647@gargantuan.com>
next in thread | raw e-mail | index | archive | help
--QWpDgw58+k1mSFBj
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi folks,
I am using FreeBSD (semi)-CURRENT, here is my uname:
FreeBSD gambit.gargantuan.com 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Wed
Mar 15 12:56:49 EST 2006
mwoliver@gambit.gargantuan.com:/usr/obj/usr/src/sys/GAMBIT i386
I have the following lines (among others) in my pf.conf file:
=2E..
antispoof quick for $int_if inet
antispoof quick for $int_if inet6
antispoof quick for $ext_if inet
antispoof quick for $ext_if inet6
=2E..
After adding these rules, I rebooted my PC and upon boot the pf rules
were not loaded, and here is why (from dmesg -a):
-----8<-----
Starting wpa_supplicant.
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPREQUEST on ath0 to 255.255.255.255 port 67
DHCPACK from 10.0.0.7
bound to 10.0.0.27 -- renewal in 43200 seconds.
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
ath0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::20f:eaff:fe60:3337%ath0 prefixlen 64 scopeid 0x1
inet 10.0.0.27 netmask 0xffffff00 broadcast 10.0.0.255
ether 00:0f:ea:60:33:37
media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps)
status: associated
ssid ******* channel 5 bssid 00:13:10:e3:3a:78
authmode WPA privacy ON deftxkey UNDEF TKIP 3:128-bit txpowmax
51
protmode CTS burst roaming MANUAL bintval 100
re0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=3D18<VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::290:f5ff:fe32:359f%re0 prefixlen 64 tentative
scopeid 0x3
inet 172.31.1.1 netmask 0xffffff00 broadcast 172.31.1.255
ether 00:90:f5:32:35:9f
media: Ethernet autoselect (none)
status: no carrier
Starting pflog.
Apr 21 19:08:16 pflogd[294]: [priv]: msg PRIV_OPEN_LOG received
Enabling pf.
/etc/pf.conf:90:
rule expands to no valid combination
/etc/pf.conf:92:
rule expands to no valid combination
pfctl:
Syntax error in config file: pf rules not loaded
pf enabled
Additional routing options:
=2E
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
net.inet6.ip6.forwarding:
0
->
0
ath0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::20f:eaff:fe60:3337%ath0 prefixlen 64 scopeid 0x1
inet6 2001:4830:2502:8001::a00:1b prefixlen 64 tentative
fwe0: flags=3D108802<BROADCAST,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
options=3D8<VLAN_MTU>
ch 1 dma -1
re0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=3D18<VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::290:f5ff:fe32:359f%re0 prefixlen 64 tentative
scopeid 0x3
inet6 2001:4830:2502:8080::ac1f:101 prefixlen 64 tentative
plip0: flags=3D108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
pfsync0: flags=3D0<> mtu 2020
pflog0: flags=3D141<UP,RUNNING,PROMISC> mtu 33208
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net default: gateway 2001:4830:2502:8001::1
IPv4 mapped IPv6 address support=3DNO
Starting devd.
=2E............. etc.
-----8<-----
Now, I am no expert, but it looks like the link-local address isn't
enough to satisfy pf so that it will load the rules, because I saw the
same "rule expands to no valid combination" error when testing this
config before having a non-link-local addr assigned to re0. It looks
like pf is being started after the inet config, but before the inet6
config, and since there are no non-link-local addrs assigned yet, pf is
failing to load the pf.conf rules.
Is this a simple order-of-operation bug, or am I doing something wrong.
Just so you know, this isn't a live firewall yet, just a simple setup I
am doing on my laptop to become familiar with pf enough to (maybe) move
away from IPFW2.
Here is some more (maybe relevant) info:
pf.conf:
--------------------
$ cat /etc/pf.conf | egrep -v '(^#|^$)'
ext_if=3D"ath0" # replace with actual external interface name i.e., dc0
int_if=3D"re0" # replace with actual internal interface name i.e., dc1
internal_net=3D"172.31.1.1/24"
external_addr=3D"10.0.0.27"
table <lak_nets> { 10.0.0.0/24, 172.16.0.0/24 }
table <jax_nets> { 192.168.0.0/24, 192.168.1.0/24 }
table <firewall> const { self }
set skip on lo0
scrub in on $ext_if all no-df fragment reassemble
nat on $ext_if from $internal_net to any -> ($ext_if)
rdr on $ext_if proto tcp from any to $external_addr/32 port 2222 -> 172.16.=
31.2 port 22
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
block all
block in log all
antispoof quick for $int_if inet
antispoof quick for $int_if inet6
antispoof quick for $ext_if inet
antispoof quick for $ext_if inet6
pass in on $ext_if proto tcp from any to $ext_if port 22 flags S/SA modula=
te state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $ext_if proto { ipv6, ipv6-route, ipv6-frag, ipv6-icmp, ipv6-no=
nxt, ipv6-opts, esp } all keep state
pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
pass in on $ext_if proto { ipv6-icmp } from any keep state
pass in log on $ext_if proto tcp from any to ! <firewall> \
port ssh flags S/SA synproxy state
/etc/rc.conf:
--------------------------
$ egrep '(ath0|re0|pf)' /etc/rc.conf | grep -v ^#
ifconfig_re0=3D"inet 172.31.1.1/24"
ifconfig_ath0=3D"WPA DHCP"
ipv6_ifconfig_ath0=3D"2001:4830:2502:8001::a00:1b/64"
ipv6_ifconfig_re0=3D"2001:4830:2502:8080::ac1f:101/64"
pf_enable=3D"YES"
pflog_enable=3D"YES"
Thanks for your help, have a good day!
--=20
Mike Oliver, KI4OFU
[see complete headers for contact information]
--QWpDgw58+k1mSFBj
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)
iD8DBQFESbmmsWv7q8X6o8kRApOQAJ9klaZy0KSqQFnZfquRxC3ZlCRcFwCgvK4w
b0yAn6D9lUsSWbhi4GL4ZP4=
=Zib+
-----END PGP SIGNATURE-----
--QWpDgw58+k1mSFBj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060422050542.GG44647>