Date: Sun, 21 Jun 2020 23:28:21 +0200 From: "Kristof Provost" <kp@FreeBSD.org> To: "David Mehler" <dave.mehler@gmail.com> Cc: freebsd-pf <freebsd-pf@freebsd.org> Subject: Re: Need a PF consultant Message-ID: <EB869194-3BBD-4A17-8881-A630369BE358@FreeBSD.org> In-Reply-To: <CAPORhP5cXn3tNM4KY78--2aoQmCDs%2BQE_c1XvyouEZCbby9Dxw@mail.gmail.com> References: <CAPORhP5cXn3tNM4KY78--2aoQmCDs%2BQE_c1XvyouEZCbby9Dxw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 21 Jun 2020, at 23:11, David Mehler wrote:
> Anyone a pf expert wanting to make some extra money?
>
> I'm in need of consulting, I'm having an issue with my PF
> configuration, I've got a much longer message with output and netstat
> and all that, if anyone is interested email me privately with rates
> and I'll send the details, but in brief I've got FreeBSD 12.1 going,
> my provider gives me an IPv6 address, on boot if I ping6 out I get a
> UDP connect no route to host message, disable and reenable pf and I
> can ping6 out as root, and as a user, for about five minutes, then I
> start getting packets are able to be sent out, but nothing comes back.
> About five minutes later again as root and as a user I'm getting the
> UDP connect no route to host message.
>
That sounds a lot like you’re dropping router and/or neighbour
advertisements.
Make sure you’ve got at least the following pass rules:
# IPv6 link-local traffic
pass quick inet6 proto icmp6 from :: to ff02::/16
pass quick inet6 proto icmp6 from fe80::/10 to fe80::/10
pass quick inet6 proto icmp6 from fe80::/10 to ff02::/16
# IPv6 Traffic That Must Not Be Dropped (RFC4890 4.3.1)
pass quick inet6 proto icmp6 from any to any icmp6-type { unreach,
toobig }
pass quick inet6 proto icmp6 from any to any icmp6-type timex code 0
pass quick inet6 proto icmp6 from any to any icmp6-type { paramprob
code 1, paramprob code 2 }
pass quick inet6 proto icmp6 from any to any icmp6-type { echoreq,
echorep }
# IPv6 Traffic That Normally Should Not Be Dropped (RFC4890 4.3.2)
pass quick inet6 proto icmp6 from any to any icmp6-type timex code 1
pass quick inet6 proto icmp6 from any to any icmp6-type paramprob code
0
# IPv6 local configuration (ND, DAD, RS, etc...)
pass quick inet6 proto icmp6 from any to any icmp6-type { routersol,
routeradv }
pass quick inet6 proto icmp6 from any to any icmp6-type { neighbrsol,
neighbradv }
pass quick inet6 proto icmp6 from any to any icmp6-type { 141, 142 }
pass quick inet6 proto icmp6 from any to any icmp6-type { listqry,
listenrep, listendone, 143 }
pass quick inet6 proto icmp6 from any to any icmp6-type { 148, 149 }
pass quick inet6 proto icmp6 from any to any icmp6-type { 151, 152, 153
}
At a guess the routersol/routeradv and neighbrsol/neigbradv are the ones
you’re running into, but you likely want to allow all of these.
Best regards,
Kristof
From owner-freebsd-pf@freebsd.org Mon Jun 22 00:06:39 2020
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5C73D3395D9
for <freebsd-pf@mailman.nyi.freebsd.org>; Mon, 22 Jun 2020 00:06:39 +0000 (UTC)
(envelope-from dave.mehler@gmail.com)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com
[IPv6:2607:f8b0:4864:20::12d])
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 49qqTC0Jc3z3dK8;
Mon, 22 Jun 2020 00:06:38 +0000 (UTC)
(envelope-from dave.mehler@gmail.com)
Received: by mail-il1-x12d.google.com with SMTP id e11so14388753ilr.4;
Sun, 21 Jun 2020 17:06:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc:content-transfer-encoding;
bh=rTkH7g4896hwVA4aeKSI7jSecF8qTB49RU3MZws94mw=;
b=d+w8/XAsOBWBvqf6U35Bw4tKBmDZynNx3OwNvCG5mzZXubaDMFSpRWxBE5o2YFKY1l
niSJu85a81Q/i3/pZTPegMoOQXNv6jeXmD00YOLAaz0tqhGKRug31Q8k9UoHt/cWDDnk
7/DcMMxJPmDKgjQLRIuXsgF0+AEwsBTuT/QP/AaIWk5oF6Y7i6JJwxGrjrtiqzzu+NF/
EmcZKd0wJm1mI+x8I+cb/p/gjbLrvodP8QgflGWgXMeSBO1Rimm7tVBivoCcGo3L3YUS
5waP+22U8tpP8kPjCWFYJr4kVvcU+rrHhSNMti9jq6dtKxqLouGrVLA0pgrOrsk7uRCA
m+JA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc:content-transfer-encoding;
bh=rTkH7g4896hwVA4aeKSI7jSecF8qTB49RU3MZws94mw=;
b=TlbzkGFfk9LVWiV0cKfXW2vMiKfzzaxWQPxA1ITjhkb+oqK2IN1s/noeDfVl7/6LYj
P4BdKwh8lSIl6g+qLIL00H+8V7fEE/FdwQ+pLF7c0TDUkM0FDKbfRPvwyXivQpWaZbOM
kz1QGsYGY+a+1w8AA7flqzTpzM6eyF0JIagDdwQfOY2xRVvBjegLDZAQ7UsIC95YqAoS
9hIVoGUFuV+bFk+FT5BDunlq9AuTqYz6cjLQ56lbTzyFFnBVMlSQde2kneb50RBRhamb
QWP3qEZo08nlfLtSFA/gw7osUjk1jXxjffbdH1LsYUghb776zeVxM7m5vcJ7G96l3wD2
7b1Q==
X-Gm-Message-State: AOAM531GRNv0/ahU8YsjtBpgNTv8vLVNy5U2NgMWLzFdYDMjVF4bAEpC
N/fN8c5CyoIxlXhLueD86oUbm2mBs2HYOekAJHhLhvC9
X-Google-Smtp-Source: ABdhPJwxHCwS0pv7q33xnXU1KlopT1xKq1HJQCZ6PV7PRNDWsNDasUCzwNSsRzEvWLH0GKfJpvUPlg2+j7viklkqng0=
X-Received: by 2002:a05:6e02:ec3:: with SMTP id
i3mr14618155ilk.211.1592784397380;
Sun, 21 Jun 2020 17:06:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:3b52:0:0:0:0:0 with HTTP; Sun, 21 Jun 2020 17:06:36
-0700 (PDT)
In-Reply-To: <EB869194-3BBD-4A17-8881-A630369BE358@FreeBSD.org>
References: <CAPORhP5cXn3tNM4KY78--2aoQmCDs+QE_c1XvyouEZCbby9Dxw@mail.gmail.com>
<EB869194-3BBD-4A17-8881-A630369BE358@FreeBSD.org>
From: David Mehler <dave.mehler@gmail.com>
Date: Sun, 21 Jun 2020 20:06:36 -0400
Message-ID: <CAPORhP4sLGro1yRcdtjxq7uqqX2pUuZajiueANQYe3xWc0+0mQ@mail.gmail.com>
Subject: Re: Need a PF consultant
To: Kristof Provost <kp@freebsd.org>
Cc: freebsd-pf <freebsd-pf@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 49qqTC0Jc3z3dK8
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
none
X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[];
ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
TAGGED_FROM(0.00)[]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>;
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jun 2020 00:06:39 -0000
Hello,
Thanks for all your replies.
Donald, the IPv6 dns is working fine in this situation.
Kristof, here's what I originally had in my pf.conf file for ICMP:
pass out quick on $ext_if proto { icmp, icmp6 } modulate state
pass in quick on $ext_if proto { icmp, icmp6 }
I commented that out, added in your rules, disabled and reenabled PF,
and did a ping6. Good news is the first time I tried ping6 it worked,
bad news is the second time I tried it about two minutes later it sent
out the ping6 but didn't return anything, zero packets received. A few
minutes later doing the UDP connect no route to host thing again.
While the original focus of my question was IPv6 would you be willing
to assist me with my general configuration? As I said I can go in to
much more detail on this.
Thanks.
Dave.
On 6/21/20, Kristof Provost <kp@freebsd.org> wrote:
> On 21 Jun 2020, at 23:11, David Mehler wrote:
>> Anyone a pf expert wanting to make some extra money?
>>
>> I'm in need of consulting, I'm having an issue with my PF
>> configuration, I've got a much longer message with output and netstat
>> and all that, if anyone is interested email me privately with rates
>> and I'll send the details, but in brief I've got FreeBSD 12.1 going,
>> my provider gives me an IPv6 address, on boot if I ping6 out I get a
>> UDP connect no route to host message, disable and reenable pf and I
>> can ping6 out as root, and as a user, for about five minutes, then I
>> start getting packets are able to be sent out, but nothing comes back.
>> About five minutes later again as root and as a user I'm getting the
>> UDP connect no route to host message.
>>
> That sounds a lot like you=E2=80=99re dropping router and/or neighbour
> advertisements.
>
> Make sure you=E2=80=99ve got at least the following pass rules:
>
> # IPv6 link-local traffic
> pass quick inet6 proto icmp6 from :: to ff02::/16
> pass quick inet6 proto icmp6 from fe80::/10 to fe80::/10
> pass quick inet6 proto icmp6 from fe80::/10 to ff02::/16
>
> # IPv6 Traffic That Must Not Be Dropped (RFC4890 4.3.1)
> pass quick inet6 proto icmp6 from any to any icmp6-type { unreach,
> toobig }
> pass quick inet6 proto icmp6 from any to any icmp6-type timex code 0
> pass quick inet6 proto icmp6 from any to any icmp6-type { paramprob
> code 1, paramprob code 2 }
> pass quick inet6 proto icmp6 from any to any icmp6-type { echoreq,
> echorep }
>
> # IPv6 Traffic That Normally Should Not Be Dropped (RFC4890 4.3.2)
> pass quick inet6 proto icmp6 from any to any icmp6-type timex code 1
> pass quick inet6 proto icmp6 from any to any icmp6-type paramprob code
> 0
>
> # IPv6 local configuration (ND, DAD, RS, etc...)
> pass quick inet6 proto icmp6 from any to any icmp6-type { routersol,
> routeradv }
> pass quick inet6 proto icmp6 from any to any icmp6-type { neighbrsol,
> neighbradv }
> pass quick inet6 proto icmp6 from any to any icmp6-type { 141, 142 }
> pass quick inet6 proto icmp6 from any to any icmp6-type { listqry,
> listenrep, listendone, 143 }
> pass quick inet6 proto icmp6 from any to any icmp6-type { 148, 149 }
> pass quick inet6 proto icmp6 from any to any icmp6-type { 151, 152, 153
> }
>
> At a guess the routersol/routeradv and neighbrsol/neigbradv are the ones
> you=E2=80=99re running into, but you likely want to allow all of these.
>
> Best regards,
> Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EB869194-3BBD-4A17-8881-A630369BE358>