From owner-freebsd-pf@FreeBSD.ORG  Sun Jan 18 20:00:05 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 16292106566B
	for <freebsd-pf@hub.freebsd.org>; Sun, 18 Jan 2009 20:00:05 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id EF3488FC13
	for <freebsd-pf@hub.freebsd.org>; Sun, 18 Jan 2009 20:00:04 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n0IK04DT023678
	for <freebsd-pf@freefall.freebsd.org>; Sun, 18 Jan 2009 20:00:04 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n0IK04Wm023676;
	Sun, 18 Jan 2009 20:00:04 GMT (envelope-from gnats)
Date: Sun, 18 Jan 2009 20:00:04 GMT
Message-Id: <200901182000.n0IK04Wm023676@freefall.freebsd.org>
To: freebsd-pf@FreeBSD.org
From: Petko Bordjukov <bordjukov@gmail.com>
Cc: 
Subject: Re: kern/127920: [pf] ipv6 and synproxy don't play well together
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Petko Bordjukov <bordjukov@gmail.com>
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jan 2009 20:00:05 -0000

The following reply was made to PR kern/127920; it has been noted by GNATS.

From: Petko Bordjukov <bordjukov@gmail.com>
To: bug-followup@FreeBSD.org, hlh@restart.be
Cc:  
Subject: Re: kern/127920: [pf] ipv6 and synproxy don't play well together
Date: Sun, 18 Jan 2009 21:29:56 +0200

 I am having the same problem.
 
 FreeBSD router.supranet.eu 7.1-RELEASE-p2 FreeBSD 7.1-RELEASE-p2 #2: Wed 
 Jan 14 15:58:07 EET 2009 
 root@router.xxx.yyy:/var/src/sys/i386/compile/H5A8S  i386
 
 pf.conf:
 > ...
 > 
 > # Settings
 > 
 > set block-policy drop
 > set skip on lo0
 > 
 > ## TRAFFIC NORMALIZATION
 > scrub in on $ext_if all fragment reassemble
 > scrub out on $ext_if all fragment reassemble random-id no-df
 > scrub in on $tunnel_if all fragment reassemble
 > scrub out on $tunnel_if all fragment reassemble random-id no-df
 > 
 > # Queueing
 > 
 > # Translation
 > <NAT settings here>
 > 
 > # Filtering
 > 
 > # activate spoofing protection for all interfaces
 > # block in log quick from urpf-failed
 > antispoof log quick for $loopback_if                                                            label "Antispoof for $if interface."
 > antispoof log quick for $int_if                                                                 label "Antispoof for $if interface."
 > 
 > # default rule
 > block    log all                                                                                label "Block all."
 > block in on $ext_if proto { tcp udp } from any to any port { 137, 138, 139, 445 }               label "Block netbios broadcasts and don't log."
 > 
 > pass out from self to any modulate state                                                        label "Permit outgoing traffic from the firewall."
 > pass out on !$int_if from $localnet6 to any modulate state                                      label "Permit outgoing traffic from the local v6 net."
 > pass    inet proto icmp all icmp-type { 0, 3, 4, 11 } keep state                                label "Permit safe ICMP."
 > # http://www.freebsd.org/cgi/man.cgi?query=icmp6
 > pass     inet6 proto icmp6 all icmp6-type { 1,2,3,4 } keep state                                label "Permit safe ICMPv6."
 > pass in  on $tunnel_if inet6 proto icmp6 from $tun_endpoint icmp6-type {128,135,136} keep state label "Permit IPv6 ping, neighbor solic., advert. from endpoint."
 > 
 > 
 > # Allow access to services
 > pass in  inet proto tcp from any to $pub_ips port $tcp_services synproxy state                  label "Access to $dstaddr $proto/$dstport."
 > 
 > 
 > 
 > #### Trouble comes from this rule
 > pass in  inet6 proto tcp from any to $pub_ips port $tcp_services synproxy state                 label "Access to $dstaddr $proto/$dstport."
 > 
 > 
 > 
 > 
 > pass in  proto udp from any to $pub_ips port $udp_services keep state                           label "Access to $dstaddr $proto/$dstport."
 > pass in  on $ext_if inet proto {tcp udp} from any to $localnet port $connectable synproxy state label "Allow incoming connections -> mapped $proto ports on $if."
 > 
 > # trusted IPs
 > pass from <trusted_ips> to any keep state                                                       label "Grant access to trusted IPs."
 > 
 > # trust local network
 > pass in  on $int_if all modulate state                                                          label "Permit incoming traffic from the Local network."
 > pass out on $int_if proto {tcp, udp} from any to $localnet4 port $connectable modulate state    label "Allow connections to mapped ports to reach LAN destinations."
 > pass     proto tcp from any to $localnet6 port $client_tcp_services modulate state              label "Allow IPv6 access to/from the ($proto) client services."
 > pass     proto { tcp, udp } from any to $localnet6 port $connectable modulate state             label "Allow IPv6 access to/from the connectable ($proto) ports."
 
 
 
 -- 
 - Petko