Date: Thu, 16 Jun 2022 09:59:34 -0700 From: Bob Grant <bglists@gmail.com> To: freebsd-questions@freebsd.org Subject: ipfilter strangeness with ipv6-icmp Message-ID: <CANgekZsYfUDt5z5=nnBMf2nkyRcs44VA-=Oh9ju2OT3hCPQeug@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
--00000000000094c22a05e1939007 Content-Type: text/plain; charset="UTF-8" I'm using ipf to secure a FreeBSD 13.1 system that receives its IPV6 address via Router Advertisements. When setting up my IPV6 rules I placed a ipv6-icmp rule to allow all packets in. However the Router Advertisements were still blocked. I found I had to specifically allow icmp-type routerad. This seems like a bug or I'm not understanding what the unadorned version of the ipv6-icmp rule does. The following is an abbreviated version of the relevant IPV6 ipf rules: ====== /etc/ipf.rules (abbreviated) ========== #V6 eth0 Block in by default and allow all out block in on eth0 family inet6 head 200 pass out quick on eth0 family inet6 all keep state # ICMP try to allow all but log the blocks in case some don't work correctly block in log proto ipv6-icmp from any to any group 200 # router advertisements fail with following rule pass in quick family inet6 proto ipv6-icmp from any to any group 200 # router advertisements succeed with following rule and fail if commented out pass in log quick family inet6 proto ipv6-icmp from any to any icmp-type routerad group 200 ============================================== The logs show the final pass being the rule that matched. I can't understand why the previous general one fails. It is not the expected behavior. I spent a few hours looking through both the ipf source files to see how things are parsed and encoded and also the ipfilter kernel module. I was unable to see where/how the icmp-type any was implemented. I also looked around for the best place to post this and didn't find one. Darren Reed's site for IPFilter seems down and the official mailing list is no more. Let me know if there is a better forum. Best regards, Bob --00000000000094c22a05e1939007 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div>I'm using ipf to secure a FreeBSD 13.1 system tha= t receives its IPV6 address via Router Advertisements.=C2=A0 When setting u= p my IPV6 rules I placed a ipv6-icmp rule to allow all packets in.=C2=A0 Ho= wever the Router Advertisements were still blocked.=C2=A0 I found I had to = specifically allow icmp-type routerad.=C2=A0 This seems like a bug or I'= ;m not understanding what the unadorned version of the ipv6-icmp rule does.= </div><div><br></div><div>The following is an abbreviated version of the re= levant IPV6 ipf rules:</div><div><br></div><div>=3D=3D=3D=3D=3D=3D /etc/ipf= .rules (abbreviated) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br></div><div>#V6 eth0 = Block in by default and allow all out<br>block in on eth0 family inet6 head= 200<br>pass out quick on eth0 family inet6 all keep state</div><div><br></= div><div># ICMP try to allow all but log the blocks in case some don't = work correctly<br>block in log proto ipv6-icmp from any to any group 200</d= iv><div># router advertisements fail with following rule</div><div>pass in = quick family inet6 proto ipv6-icmp from any to any group 200</div><div># ro= uter advertisements succeed with following rule and fail if commented out</= div><div>pass in log quick family inet6 proto ipv6-icmp from any to any icm= p-type routerad group 200</div><div>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D<br></div><div><br></div><div>The logs show the fin= al pass being the rule that matched.=C2=A0 I can't understand why the p= revious general one fails.=C2=A0 It is not the expected behavior.</div><div= ><br></div><div>I spent a few hours looking through both the ipf source fil= es to see how things are parsed and encoded and also the ipfilter kernel mo= dule.=C2=A0 I was unable to see where/how the icmp-type any was implemented= .</div><div><br></div><div>I also looked around for the best place to post = this and didn't find one.=C2=A0 Darren Reed's site for IPFilter see= ms down and the official mailing list is no more.=C2=A0 Let me know if ther= e is a better forum.</div><div><br></div><div>Best regards,</div><div><br><= /div><div>Bob<br> </div></div> --00000000000094c22a05e1939007--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANgekZsYfUDt5z5=nnBMf2nkyRcs44VA-=Oh9ju2OT3hCPQeug>