Date: Tue, 1 Aug 2006 19:05:49 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: I'm getting sick - Problems filtering IPv6. Message-ID: <200608011905.55505.max@love2party.net> In-Reply-To: <20060801142925.54F5CB828@shodan.nognu.de> References: <20060801142925.54F5CB828@shodan.nognu.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1241904.Y88FGmRPQu Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 01 August 2006 16:29, Frank Steinborn wrote: > At first, here is the complete ruleset: > http://www.nognu.de/~steinex/pf.conf.txt > > The Problem: > As you can see, i'm having a stateful outgoing rule for IPv6: > > pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate > state > > That works just fine. I can ping v6-hosts and surf the web via v6. But > I want to open some daemons for the outside world, for example an > nameserver: > > pass in on gif0 inet6 proto { tcp, udp } from any to 2001:1638:17ad::3 > port 53 modulate state > > Let's try to connect to it know, from another box: > > $ telnet 2001:1638:17ad::3 53 > Trying 2001:1638:17ad::3... > Connected to 2001:1638:17ad::3. > Escape character is '^]'. > > That works just fine! Yay! However, if i try the same on the same box > running the named and the filter: > > $ telnet 2001:1638:17ad::3 53 > Trying 2001:1638:17ad::3... > > That's it. It's not possible, and i'm really frustrated for days now. > What is actually borked here? Let's have a look on the pflog0, what's > dropping: > > 15:26:35.983709 rule 1/0(match): block in on gif0: > 2001:1638:17ad::3.53 > 2001:1638:17ad::3.59761: tcp 40 [bad hdr > length 4 - too short, < 20] > > Hmm. Bad hdr lenght? What's up here? If i change the rule This really just is an artefact from a too short snaplen. Use -s 1500 and = you=20 get rid of it. The strange thing, however, is that this is the reply *from* port 53. So t= his=20 means the initial SYN got through alright. Can you check if a state has be= en=20 created (pfctl -vss) for that connection, please. I suspect that it has an= d=20 the problem would be that the reply doesn't match the state - for what ever= =20 reason. Please check if there is a state and let me know - thanks. > pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate > state > to > pass on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate state > > all works fine. But that's not what i want, of course. Can anyone give > me a clue what's wrong here? Please, it's driving me crazy! :-( > > I found one thing about the "bad hdr lenght" thing on the mailinglist, > but I'm not sure if it's related. And it's from 2005: > http://lists.freebsd.org/pipermail/freebsd-current/2005-November/057922.h= tm >l =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1241904.Y88FGmRPQu Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBEz4nzXyyEoT62BG0RAkg4AJ4kVmwAptqNDn8tx3tbJsGbvJ+ZpwCeIL8Y v8rTkhIDMfj/EvOi2zDD+Vg= =7/qX -----END PGP SIGNATURE----- --nextPart1241904.Y88FGmRPQu--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608011905.55505.max>