From owner-freebsd-pf@freebsd.org  Sun Apr 25 08:08:55 2021
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 075FA5F96CE
 for <freebsd-pf@mailman.nyi.freebsd.org>; Sun, 25 Apr 2021 08:08:55 +0000 (UTC)
 (envelope-from kp@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4FSgdy6v1nz4rCX;
 Sun, 25 Apr 2021 08:08:54 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: from venus.codepro.be (venus.codepro.be [5.9.86.228])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx1.codepro.be", Issuer "R3" (verified OK))
 (Authenticated sender: kp)
 by smtp.freebsd.org (Postfix) with ESMTPSA id C52482347;
 Sun, 25 Apr 2021 08:08:54 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: by venus.codepro.be (Postfix, authenticated sender kp) id 30D2C41CCC;
 Sun, 25 Apr 2021 10:08:53 +0200 (CEST)
From: "Kristof Provost" <kp@FreeBSD.org>
To: "=?utf-8?q?=C3=96zkan?= KIRIK" <ozkan.kirik@gmail.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: pf - SCTP ports are not allowed in filter rules.
Date: Sun, 25 Apr 2021 10:08:52 +0200
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <69368466-D69F-4F7D-92C8-A4DFDD3D9A61@FreeBSD.org>
In-Reply-To: <CAAcX-AFLLPOuLws+=qFYp9KXNqD_cYWpA3zbDr2WOgNLMnKRKg@mail.gmail.com>
References: <CAAcX-AFLLPOuLws+=qFYp9KXNqD_cYWpA3zbDr2WOgNLMnKRKg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Apr 2021 08:08:55 -0000

On 25 Apr 2021, at 7:56, Özkan KIRIK wrote:
> SCTP protocol header has src port and dst port fields. But pf doesn't
> supports.
>
> # echo "pass  log (to pflog0) quick   proto SCTP from  any to any port
> 13873" | pfctl -f -
> stdin:1: port only applies to tcp/udp
> stdin:1: skipping rule due to errors
> stdin:1: rule expands to no valid combination
> pfctl: Syntax error in config file: pf rules not loaded
> #
>
> I tried to write same rule with ipfw. It works.
>
> # ipfw add 200 allow sctp from any to any 13873
> 00200 allow sctp from any to any 13873
>
> Do I have a mistake or filtering for SCTP ports are not supported by 
> pf ?
> Is it possible to fix ?
>
Pf does not support SCTP in any meaningful way.

I have no plans to add SCTP support either. Note that doing so involves 
a lot more than just teaching it to look at SCTP port numbers. Pf is a 
/stateful/ firewall, so we’d have to teach it the entire SCTP protocol 
lifecycle.

Best regards,
Kristof