From owner-freebsd-security@freebsd.org Sat Nov 14 18:59:21 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E323B462A35 for ; Sat, 14 Nov 2020 18:59:21 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CYPlF1h6mz3ndK for ; Sat, 14 Nov 2020 18:59:20 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 0AEIxIWW002851 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 14 Nov 2020 10:59:18 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 0AEIxHPf002850; Sat, 14 Nov 2020 10:59:17 -0800 (PST) (envelope-from jmg) Date: Sat, 14 Nov 2020 10:59:17 -0800 From: John-Mark Gurney To: "J. Hellenthal" Cc: FreeBSD-security@freebsd.org Subject: Re: pf/pfctl loading CIDR tables & IPv6 Message-ID: <20201114185917.GN31099@funkthat.com> Mail-Followup-To: "J. Hellenthal" , FreeBSD-security@freebsd.org References: <20201114183908.GL31099@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sat, 14 Nov 2020 10:59:18 -0800 (PST) X-Rspamd-Queue-Id: 4CYPlF1h6mz3ndK X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [-1.80 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[funkthat.com]; RBL_DBL_DONT_QUERY_IPS(0.00)[208.87.223.18:from]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[208.87.223.18:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-0.999]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; MAILMAN_DEST(0.00)[FreeBSD-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Nov 2020 18:59:21 -0000 J. Hellenthal wrote this message on Sat, Nov 14, 2020 at 12:49 -0600: > Well shoot! I don???t even think about going down that rabbit hole. Thank you. > >> no IP address found for 2001:BB6:6A10:4200:58D7:5934:7 The `no IP address found for` triggered my, it's trying to do a name lookup thought process, but that'd only happen if it wasn't a valid address.. > Wondering if it be more useful tho to skip past those formatting errors to continue reading the rest of the list instead of just discarding the results and not loading the remainder. Don't have a strong opinion on this... > I???ll be in touch with ip2locatiin as well > > -- > J. Hellenthal > > The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume. > > > On Nov 14, 2020, at 12:39, John-Mark Gurney wrote: > > > > ???J. Hellenthal via freebsd-security wrote this message on Sat, Nov 14, 2020 at 10:58 -0600: > >> Hoping someone might be able to shed some light on this and get to a conclusion faster than I have time for right now. > >> > >> > >> But while loading a CIDR formatted list with ???#??? comments from [1] I am getting the following error for multiple entries >10 and results in the only the partial list being loaded into the table??? The settings to download the file[2] are from the Russian Federation, IPv6 and in CIDR format. > >> > >> ??? (pfctl -v -t blacklist -T add -f [???] > >> No ALTQ support in kernel > >> ALTQ related functions disabled > >> no IP address found for 2001:BB6:6A10:4200:58D7:5934:7 > > > > Well, this isn't a valid ipv6 address. There are only 7 segments, > > where as an ipv6 address needs 8. There is not a :: to fill out the > > missing segment. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."