From owner-freebsd-pf@FreeBSD.ORG Sat Dec 29 21:03:25 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E6F016E6 for ; Sat, 29 Dec 2012 21:03:24 +0000 (UTC) (envelope-from dokas@dokas.name) Received: from mail.dokas.name (mail.dokas.name [199.199.210.193]) by mx1.freebsd.org (Postfix) with ESMTP id AEDE68FC16 for ; Sat, 29 Dec 2012 21:03:24 +0000 (UTC) Received: from dagon.dokas.name (c-24-131-182-9.hsd1.mn.comcast.net [24.131.182.9]) by mail.dokas.name (Postfix) with ESMTPSA id A3A2B1F0BE for ; Sat, 29 Dec 2012 14:57:16 -0600 (CST) Message-ID: <50DF592B.1030600@dokas.name> Date: Sat, 29 Dec 2012 14:57:15 -0600 From: Paul Dokas User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: [SOLVED]: nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed out References: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de> <50DEDA01.4060103@cyberleo.net> <5FA24BDE-D6EE-4C3F-B0DE-BC5CBE9EA7A8@odo.in-berlin.de> In-Reply-To: <5FA24BDE-D6EE-4C3F-B0DE-BC5CBE9EA7A8@odo.in-berlin.de> X-Enigmail-Version: 1.4.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: paul@dokas.name List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Dec 2012 21:03:25 -0000 On 12/29/12 08:31, Michael Grimm wrote: > I've been told to change my outgoing rule from ... > > | pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all modulate state > > ... to ... > > | pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all > > ... and that did the trick! No more checksum and timeout errors. Now it works as expected. > > Just for me to learn: What change in code from 9.0 to 9.1 made that first rule break? I used that rule since 7.0, IIRC. I'll add another data point as this affected me also. I have a host that I recently upgraded from 9.0 -> 9.1. Under 9.0, I could ssh to it without any issues using both ipv4 and ipv6. However after upgrading to 9.1, I could no longer access this host via ipv6. In /etc/pf.conf under 9.0, the packets were allowed via this line: pass in proto tcp from to port 22 modulate state Now, under 9.1, I had to replace this line with the following to restore ipv4 and ipv6 connectivity: pass in inet proto tcp from to port 22 modulate state pass in inet6 proto tcp from to port 22 Thank you for the fix. I'm also curious about what changed in PF between 9.0 and 9.1. Looking over the commits, I see many changes, several of which affect ipv6, but nothing that would obviously account for this change in behavior. I am also no expert on the PF code, so I could easily be missing something obvious. The broken behavior that I am seeing goes like this: Host A: FreeBSD 9.1 with ipv4 and ipv6 connectivity Host B: Linux with ipv4 and ipv6 connectivity 14:42:54.449782 IP6 HostB.23277 > HostA.22: Flags [S], seq 4121331899, win 65535, options [mss 1440,nop,wscale 9,sackOK,TS val 3181373 ecr 0], length 0 14:42:54.449971 IP6 HostA.22 > HostB.23277: Flags [S.], seq 1127207337, ack 4121331900, win 65535, options [mss 1440,nop,wscale 9,sackOK,TS val 3217245253 ecr 3181373], length 0 This is from tcpdump output on host B. The SYN/ACK packet does make it to host B, but seems to be silently ignored. For comparison, here's the same few packets with the fix in place on Host A: 14:51:58.716186 IP6 HostB.33915 > HostA.22: Flags [S], seq 3905485643, win 65535, options [mss 1440,nop,wscale 9,sackOK,TS val 3725643 ecr 0], length 0 14:51:58.716356 IP6 HostA.22 > HostB.33915: Flags [S.], seq 2791731777, ack 3905485644, win 65535, options [mss 1440,nop,wscale 9,sackOK,TS val 3462082146 ecr 3725643], length 0 14:51:58.716411 IP6 HostB.33915 > HostA.22: Flags [.], ack 1, win 2049, options [nop,nop,TS val 3725643 ecr 3462082146], length 0 In this case, the 3 way handshake completes. Paul -- Paul Dokas dokas at dokas.name ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."