Date: Fri, 11 Jun 2010 13:58:24 GMT From: sebastien boggia <sebastien.boggia@unistra.fr> To: freebsd-gnats-submit@FreeBSD.org Subject: amd64/147789: Firewall PF no longer drops connections by sending TCP RST packets Message-ID: <201006111358.o5BDwOig092686@www.freebsd.org> Resent-Message-ID: <201006111400.o5BE0HtK071695@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 147789
>Category: amd64
>Synopsis: Firewall PF no longer drops connections by sending TCP RST packets
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-amd64
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jun 11 14:00:16 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: sebastien boggia
>Release: 8.0-RELEASE-p2
>Organization:
university of strasbourg
>Environment:
FreeBSD ash.u-strasbg.fr 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #1: Fri Feb 26 13:11:24 UTC 2010 root@fbsd8-64:/usr/obj/usr/src/sys/SMP8-64 amd64
>Description:
We upgraded our firewall from FreeBSD 6.4 to FreeBSD 8.0 and now we have a problem with pf and IPv6, the return-rst rules no longer works.
FreeBSD ash.u-strasbg.fr 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #1: Fri Feb 26 13:11:24 UTC 2010 root@fbsd8-64:/usr/obj/usr/src/sys/SMP8-64 amd64
When a packet matches the following rule, the system should reply to the source address with a TCP RST packet in order to drop the connection.
block return-rst in quick log on { $int_if $int_carp_if } inet6 proto tcp from any to any port { $port_autorises_host_wifi }
It worked on FreeBSD 6.4 but no on FreeBSD 8.0.
With tcpdump on pfog0 we can see the packets matching the rule.
..
tcpdump -en -s0 -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
15:53:43.725574 rule 320/0(match): block in on vlan900: fe80::226:5eff:fe01:b33e.38423 > 2001:660:2402::90.443: Flags [S], seq 1947608384, win 5760, options [mss 1440,sackOK,TS val 6811328 ecr 0,nop,wscale 6], length 0
15:53:45.488687 rule 318/0(match): block in on vlan900: 2001:660:2402:2001:85ee:f2ca:8cae:61f1.54489 > 2a00:1450:4001:1::13.80: Flags [S], seq 792126535, win 8192, options [mss 1440,nop,wscale 2,nop,nop,sackOK], length 0
..
>How-To-Repeat:
This is the network configuration on the server :
vlan818: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=3<RXCSUM,TXCSUM>
ether 00:26:55:1a:b9:fc
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::226:55ff:fe1a:b9fc%vlan818 prefixlen 64 scopeid 0x6
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 818 parent interface: bce0
vlan212: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=3<RXCSUM,TXCSUM>
ether 00:26:55:1a:b9:fc
inet 130.79.208.186 netmask 0xfffffff8 broadcast 130.79.208.191
inet6 fe80::226:55ff:fe1a:b9fc%vlan212 prefixlen 64 scopeid 0x7
inet6 2001:660:2402:7::2 prefixlen 64
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 212 parent interface: bce0
vlan900: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=3<RXCSUM,TXCSUM>
ether 00:26:55:1a:b9:fc
inet 172.17.255.253 netmask 0xffff0000 broadcast 172.17.255.255
inet6 fe80::226:55ff:fe1a:b9fc%vlan900 prefixlen 64 scopeid 0x8
inet6 2001:660:2402:2001:fe:: prefixlen 64
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 900 parent interface: bce0
carp212: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 130.79.208.185 netmask 0xfffffff8
inet6 2001:660:2402:7::1 prefixlen 64
carp: MASTER vhid 150 advbase 1 advskew 0
carp900: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 172.17.255.254 netmask 0xffff0000
inet6 2001:660:2402:2001:ff:: prefixlen 64
carp: MASTER vhid 150 advbase 1 advskew 0
Following an extract of the pf.conf file :
carp_if="{vlan212,vlan900}"
ext_carp_if="carp212"
int_carp_if="carp900"
ext_if="vlan212"
int_if="vlan900"
set debug urgent
set limit { states 600000 , frags 10000 , src-nodes 100000 }
set timeout interval 5
set optimization normal
scrub in all fragment crop no-df
port_autorises_host_wifi = "smtp, ssh, http, 8080, https, imaps, 1993, \
pop3s, ldap, ldaps, ntp, 8443, 3389, rsync, \
nntp, 5999, 465, 1194, 1232, 5222, 5223, \
587, 1723, 1701, 5060, 5061, 5062, irc, ircs, \
6665, 6666, 6667, 6669"
block return-rst in quick log on { $int_if $int_carp_if } inet6 proto tcp from any \
to any port { $port_autorises_host_wifi }
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201006111358.o5BDwOig092686>