From nobody Thu Jun 16 16:59:34 2022 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id EECB98507AC for ; Thu, 16 Jun 2022 16:59:47 +0000 (UTC) (envelope-from bglists@gmail.com) Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LP7h22KVvz4lVg for ; Thu, 16 Jun 2022 16:59:46 +0000 (UTC) (envelope-from bglists@gmail.com) Received: by mail-yb1-xb2c.google.com with SMTP id r3so3185711ybr.6 for ; Thu, 16 Jun 2022 09:59:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=Ji1G/OeBv1lAqPdHmvZHoJ29c2IhCv32yc2mgoC/VzQ=; b=XSypadcb4Wa2T54YnBcim2m7o+hOUlUlMPZVEwUU7fXBh3XV5DOQJs0ytVJpbKTqLC eRCromSKr6NltDSAPKZ+Zu60kgDf4hjRHsUwSVHDsB4bHE+nUts5YxY69QXKozoSEy7A YFkIaOsrDFPmJwOsBXQWcM5i+e14KsI8LHWIv5gKct4EMgqku6ljq056TnRLZdrvpelv gnk5OUBYCw46rAzUIjDAiFEA3oCghnDLLy5Q2S5jLuSlx4YkQG0E2aH8d2KWF4GvxSnh zLPNiRkjNebpE3lHdtinWF6W5+idVl2vO4FT8WpzHTOxB/QF89DdwBtScn6v7L/HBgkw yKfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Ji1G/OeBv1lAqPdHmvZHoJ29c2IhCv32yc2mgoC/VzQ=; b=cPMdBPz7sC7uy9UeT79BbcrKlvxuteuURIAqiyJME00giheGSkjlHW3OY/LA1iFnEr FX9hBKTOgPh9OH2OjXG0PTtHQWAFVRihw7iV+NLKo5WPsQNtZbdAgjCb1xt+L2sID6v7 SyCyjM/Kl+stS06pi1lP6p+SgfQ46SW8kgw/oEfkvJsnuqz2LVzVwLUldq2xNMloPTA8 RxpfW7wt46l4nld28JZaZ1o4eTkRj2bpwoOcFCZMTde0o5Bvacxg0RvB6MbVxkKR+oOV OaTsCbFQGZ8ecVzRcp+Voy5PxGLRpkNuQ5r2YRhLshovS+haHGR0pBinqXLkImcJ3hjn STPQ== X-Gm-Message-State: AJIora/N+VvA61GaYsvMOeY3FFO+t0pcPyqeyASIM4uCp6u45pQo1hGM dknFU7XWHtbtyrCplAOv3y5cbvGToH84Wf6c+RdClyXL X-Google-Smtp-Source: AGRyM1vAPsGj9UHokbxoMLVApdqSt7BvXN8BcFknrde9fuUXse9vbESQNf0xDjgeiQv1lQ1/L60Iffj45GqmTU0a6ew= X-Received: by 2002:a25:dc0b:0:b0:65d:e5d:a87a with SMTP id y11-20020a25dc0b000000b0065d0e5da87amr6307844ybe.295.1655398785662; Thu, 16 Jun 2022 09:59:45 -0700 (PDT) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 From: Bob Grant Date: Thu, 16 Jun 2022 09:59:34 -0700 Message-ID: Subject: ipfilter strangeness with ipv6-icmp To: freebsd-questions@freebsd.org Content-Type: multipart/alternative; boundary="00000000000094c22a05e1939007" X-Rspamd-Queue-Id: 4LP7h22KVvz4lVg X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=XSypadcb; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of bglists@gmail.com designates 2607:f8b0:4864:20::b2c as permitted sender) smtp.mailfrom=bglists@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.997]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_RHS_MATCH_FROMTLD(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::b2c:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MLMMJ_DEST(0.00)[freebsd-questions]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N --00000000000094c22a05e1939007 Content-Type: text/plain; charset="UTF-8" I'm using ipf to secure a FreeBSD 13.1 system that receives its IPV6 address via Router Advertisements. When setting up my IPV6 rules I placed a ipv6-icmp rule to allow all packets in. However the Router Advertisements were still blocked. I found I had to specifically allow icmp-type routerad. This seems like a bug or I'm not understanding what the unadorned version of the ipv6-icmp rule does. The following is an abbreviated version of the relevant IPV6 ipf rules: ====== /etc/ipf.rules (abbreviated) ========== #V6 eth0 Block in by default and allow all out block in on eth0 family inet6 head 200 pass out quick on eth0 family inet6 all keep state # ICMP try to allow all but log the blocks in case some don't work correctly block in log proto ipv6-icmp from any to any group 200 # router advertisements fail with following rule pass in quick family inet6 proto ipv6-icmp from any to any group 200 # router advertisements succeed with following rule and fail if commented out pass in log quick family inet6 proto ipv6-icmp from any to any icmp-type routerad group 200 ============================================== The logs show the final pass being the rule that matched. I can't understand why the previous general one fails. It is not the expected behavior. I spent a few hours looking through both the ipf source files to see how things are parsed and encoded and also the ipfilter kernel module. I was unable to see where/how the icmp-type any was implemented. I also looked around for the best place to post this and didn't find one. Darren Reed's site for IPFilter seems down and the official mailing list is no more. Let me know if there is a better forum. Best regards, Bob --00000000000094c22a05e1939007 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I'm using ipf to secure a FreeBSD 13.1 system tha= t receives its IPV6 address via Router Advertisements.=C2=A0 When setting u= p my IPV6 rules I placed a ipv6-icmp rule to allow all packets in.=C2=A0 Ho= wever the Router Advertisements were still blocked.=C2=A0 I found I had to = specifically allow icmp-type routerad.=C2=A0 This seems like a bug or I'= ;m not understanding what the unadorned version of the ipv6-icmp rule does.=

The following is an abbreviated version of the re= levant IPV6 ipf rules:

=3D=3D=3D=3D=3D=3D /etc/ipf= .rules (abbreviated) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
#V6 eth0 = Block in by default and allow all out
block in on eth0 family inet6 head= 200
pass out quick on eth0 family inet6 all keep state

# ICMP try to allow all but log the blocks in case some don't = work correctly
block in log proto ipv6-icmp from any to any group 200
# router advertisements fail with following rule
pass in = quick family inet6 proto ipv6-icmp from any to any group 200
# ro= uter advertisements succeed with following rule and fail if commented out
pass in log quick family inet6 proto ipv6-icmp from any to any icm= p-type routerad group 200
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D

The logs show the fin= al pass being the rule that matched.=C2=A0 I can't understand why the p= revious general one fails.=C2=A0 It is not the expected behavior.

I spent a few hours looking through both the ipf source fil= es to see how things are parsed and encoded and also the ipfilter kernel mo= dule.=C2=A0 I was unable to see where/how the icmp-type any was implemented= .

I also looked around for the best place to post = this and didn't find one.=C2=A0 Darren Reed's site for IPFilter see= ms down and the official mailing list is no more.=C2=A0 Let me know if ther= e is a better forum.

Best regards,

<= /div>
Bob
--00000000000094c22a05e1939007--