From owner-freebsd-pf@FreeBSD.ORG Tue Nov 12 12:40:17 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7F457DE6 for ; Tue, 12 Nov 2013 12:40:17 +0000 (UTC) Received: from govert.macfreek.nl (govert.macfreek.nl [IPv6:2a01:238:43ed:a300:ea00:54c2:fb7a:7e66]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 41C1C28D2 for ; Tue, 12 Nov 2013 12:40:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by govert.macfreek.nl (Postfix) with ESMTP id 428E364A0BE for ; Tue, 12 Nov 2013 13:40:14 +0100 (CET) Received: from govert.macfreek.nl ([127.0.0.1]) by localhost (govert.macfreek.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7aBP2FEQxr5X for ; Tue, 12 Nov 2013 13:40:14 +0100 (CET) Received: from saramac0003.local (unknown [145.100.24.131]) by govert.macfreek.nl (Postfix) with ESMTPSA id A252064A0B3 for ; Tue, 12 Nov 2013 13:40:13 +0100 (CET) Message-ID: <528221AD.8020904@macfreek.nl> Date: Tue, 12 Nov 2013 13:40:13 +0100 From: Freek Dijkstra User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: IPv6 scrubbing Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Nov 2013 12:40:17 -0000 Hi, What is the advice on scrubbing IPv6 packets in PF? I've come across three bugs in pf that caused legitimate IPv6 to be dropped: * "scrub fragment reassemble" drops all IPv6 fragments. (PF in OpenBSD 5.0 has fixed this, but FreeBSD 9.2 unfortunately still seems to use the PF version of OpenBSD 4.5). (http://www.freebsd.org/cgi/query-pr.cgi?pr=124933) * "scrub reassemble tcp" is causing a ~30 second delay in setting up a SSH connecting to a server with a pf firewall. In TCPdump I see a large number of TCP retransmissions from the client to the server after the SYN ACK packet. I have not dived into the specifics, but turning this option off fixed things. (http://www.freebsd.org/cgi/query-pr.cgi?pr=172648) * IPv6 traffic over the loopback interface (lo0) generally is reported as traversing a non-loopback interface. I've first come across this in ipfw, but since the bug is in the kernel, it applies to PF as well. (http://www.freebsd.org/cgi/query-pr.cgi?pr=165190) While these are the only pf/IPv6 bugs I've encountered since I started using FreeBSD about 2 years ago now, and switched to PF last month, I see more potential problems, like #169630 (though that's not IPv6 specific). Rather than waiting for me to bump into the next IPv6 bug, I try to understand the current limitations of IPv6 support in PF. In particular, what is the recommended scrubbing for IPv6 packets? I currently have: scrub ipv4 fragment reassemble reassemble tcp random-id scrub ipv6 fragment reassemble random-id pass quick inet6 proto ipv6-frag all Is this recommended? A small question about the bug database: Is there a way to 'follow' certain bug reports (i.e. get email upon comments or state changes)? Bugs #165190 and #169630 have patches for over a year (even though the later has no '[patch]' tag yet); what is the general way to raise awareness of these bugs so they are applied to a next version of FreeBSD? Regards, Freek Dijkstra