From owner-freebsd-stable@FreeBSD.ORG Fri May 31 13:44:10 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 4B807F42 for ; Fri, 31 May 2013 13:44:10 +0000 (UTC) (envelope-from h.schmalzbauer@omnilan.de) Received: from host.omnilan.net (s1.omnilan.net [62.245.232.135]) by mx1.freebsd.org (Postfix) with ESMTP id BBE562D2 for ; Fri, 31 May 2013 13:44:09 +0000 (UTC) Received: from titan.inop.wdn.omnilan.net (titan.inop.wdn.omnilan.net [172.21.3.1]) (authenticated bits=0) by host.omnilan.net (8.13.8/8.13.8) with ESMTP id r4VDh5ki020919 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 31 May 2013 15:43:05 +0200 (CEST) (envelope-from h.schmalzbauer@omnilan.de) Message-ID: <51A8A8E4.5000004@omnilan.de> Date: Fri, 31 May 2013 15:43:00 +0200 From: Harald Schmalzbauer Organization: OmniLAN User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; de-DE; rv:1.9.2.8) Gecko/20100906 Lightning/1.0b2 Thunderbird/3.1.2 MIME-Version: 1.0 To: FreeBSD Stable Subject: pf loosing (v6) TCP states much too early, "no-route" not working with IPv6 X-Enigmail-Version: 1.1.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig5374106B3D496F7FBAB429F8" X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 May 2013 13:44:10 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5374106B3D496F7FBAB429F8 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Hello, my default pf config blocks everything and allowes specific connections. One of them is "in from x to self port ssh" which expands to "port ssh keep state flags S/SA" by default. After ssh login, I see the corresponding entry in the states table: all tcp 2001:db8:f0bb:1::1[22] <- 2001:db8:f0bb:1::3:1[42730] =20 ESTABLISHED:ESTABLISHED pfctl -s info claims: TIMEOUTS: =2E.. tcp.established 86400s =2E.. After a couple of hours of inactivity, the ssh session silently stalls. Here's what I have in the log: rule 3/0(match): block in on rl1: 2001:db8:f0bb:1::3:1.42730 > 2001:db8:f0bb:1::1.22: Flags [P.], ack 1444009640, win 65535, length 48 The rule evaluation by itself is correct, it's no TCP-SYN, so it get's blocked, but this packet should not get through the ruleset at all, at least not before 86400s of idle connection. In my case, it was after ~3 hours. And ports numbers are exactly the same as in the state table entry from some hours before. So the state table entry seems to got lost!= My question: Is such a problem known? Did I miss enything else? System runs 8.1-STABLE/x86 Another issue was that "no-route" doesn't work for IPv6 connections. I had to replace it with "any". Thansk for any hints in advance, -Harry P.S.: It's an embedded box where upgrading is overdue, but not that easy.= =2E. --------------enig5374106B3D496F7FBAB429F8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAlGoqOkACgkQLDqVQ9VXb8hKigCdH2JVV4Rh/TyTwDWzHU0Vxk94 B2IAn3BsdCATvh9E6aWRWdscANM1UFia =mWSN -----END PGP SIGNATURE----- --------------enig5374106B3D496F7FBAB429F8--