From owner-freebsd-pf@FreeBSD.ORG Mon Aug 23 17:03:41 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 218191065670 for ; Mon, 23 Aug 2010 17:03:41 +0000 (UTC) (envelope-from tech@stuxnet.org) Received: from mx1.stux6.net (mx1.stux6.net [IPv6:2001:41d0:2:2692::25]) by mx1.freebsd.org (Postfix) with ESMTP id 79A878FC0C for ; Mon, 23 Aug 2010 17:03:40 +0000 (UTC) Received: from mx1.stux6.net (localhost [127.0.0.1]) by mx1.stux6.net (mx1.stux6.net) with ESMTP id CB9B28C861F for ; Mon, 23 Aug 2010 17:03:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at stux6.net Received: from mx1.stux6.net ([127.0.0.1]) by mx1.stux6.net (mx1.stux6.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id ESDHnLQFD884 for ; Mon, 23 Aug 2010 17:03:21 +0000 (UTC) Received: from localmx.stux.fr (localmx.ipv6.stux.fr [IPv6:2001:7a8:5a90:1000:dcad:beff:feef:2511]) by mx1.stux6.net (mx1.stux6.net) with ESMTP id 3F9B08C8619 for ; Mon, 23 Aug 2010 17:03:21 +0000 (UTC) Received: from zimbra.stux.fr (zimbra.ipv6.stux.fr [IPv6:2001:7a8:5a90:1000:dcad:beff:feef:2534]) by localmx.stux.fr (Postfix) with ESMTP id 62625F60F5 for ; Mon, 23 Aug 2010 20:39:28 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by zimbra.stux.fr (Postfix) with ESMTP id ACD5F8B452 for ; Mon, 23 Aug 2010 20:39:23 +0200 (CEST) X-Virus-Scanned: amavisd-new at zimbra.stux.fr Received: from zimbra.stux.fr ([127.0.0.1]) by localhost (zimbra.stux.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKomPyqnrjTM for ; Mon, 23 Aug 2010 20:39:23 +0200 (CEST) Received: from [IPv6:2001:7a8:5a90:1000:dcad:beff:feef:2549] (appsrv.ipv6.stux.fr [IPv6:2001:7a8:5a90:1000:dcad:beff:feef:2549]) by zimbra.stux.fr (Postfix) with ESMTPA id 064FC8B451 for ; Mon, 23 Aug 2010 20:39:23 +0200 (CEST) Message-ID: <4C72AA09.6030604@stuxnet.org> Date: Mon, 23 Aug 2010 19:04:09 +0200 From: STux User-Agent: Thunderbird 2.0.0.24 (X11/20100623) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: PF filtering with IPv6 and IPSEC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2010 17:03:41 -0000 Hello guys, I'm running FreeBSD 8.0 and I experience a problem with pf . The network configuration is the following : NetworkA (ipv6) <=> gwA (openbsd) <=> wan (ipv6/ipsec) <=> gwB (freebsd) <=> NetworkB (ipv6) OpenBsd is running isakmpd , and seems working well. FreeBSD is running racoon (ipsec-tools from ports) without pf enabled on freebsd, ipv6/ipsec tunnel works well (tcpdump approves it) : machines on networkB access to networkA and machines on network A access to networkB Code: -------------------------------------------------------- 23:30:00.815393 IP6 gwB > gwA: ESP spi=0x0b9ef32c,seq=0xe), length 92 23:30:00.815546 IP6 gwA > gwB: ESP spi=0xf3cb2428,seq=0x1a), length 92 -------------------------------------------------------- with pf enabled : tcpdump continues to show similar packets , machines on networkA continue to access to NetworkB BUT machines on networkB accessing NetworkA are blocked by PF, with a singular reason. pflog, shows unencrypted packets from NetworkA to NetworkB : example of an ssh connexion initiated from NetworkB to NetworkA (this applies to all protocols except ICMP) : Code: -------------------------------------------------------- 00:00:00.000000 IP6 MachineA.ssh > MachineB.52719: Flags [S.], seq 1862827950, ack 2014870766, win 5712, options [mss 1440,sackOK,TS val 211216935 ecr 257703668,nop,wscale 4], length 0 -------------------------------------------------------- Please note the source port and Flag !. I've tcpdumped on openbsd, and no packet is transmitted in clear from NetworkA to NetworkB. pf is enabled on OpenBSD. I don't think OpenBSD is the problem. when pf is disabled on freebsd, there no packet transmitted in clear from NetworkA to NetworkB : Only encrypted packets from gwA to gwB and from gwB to gwA. So I think there is a problem after decryption of packet by racoon. But I don't see why (despire several nights ;) ). For information : sample of pf.conf, which causes problem. Code: -------------------------------------------------------- ext_if="sis0" int_if="sis1" set skip on { lo0 enc0 } set state-policy if-bound set block-policy return scrub in all block in log (all, to pflog0) pass out keep state pass in on $ext_if keep state pass in on $int_if keep state -------------------------------------------------------- Any advice ? Thanks. Christophe.