From owner-freebsd-pf@FreeBSD.ORG Tue Aug 1 17:06:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6144C16A4DD for ; Tue, 1 Aug 2006 17:06:02 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3E1343D53 for ; Tue, 1 Aug 2006 17:06:00 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.178.141] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1G7xgq3HlX-0000nC; Tue, 01 Aug 2006 19:05:57 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 1 Aug 2006 19:05:49 +0200 User-Agent: KMail/1.9.3 References: <20060801142925.54F5CB828@shodan.nognu.de> In-Reply-To: <20060801142925.54F5CB828@shodan.nognu.de> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1241904.Y88FGmRPQu"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200608011905.55505.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Aug 2006 17:06:02 -0000 --nextPart1241904.Y88FGmRPQu Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 01 August 2006 16:29, Frank Steinborn wrote: > At first, here is the complete ruleset: > http://www.nognu.de/~steinex/pf.conf.txt > > The Problem: > As you can see, i'm having a stateful outgoing rule for IPv6: > > pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate > state > > That works just fine. I can ping v6-hosts and surf the web via v6. But > I want to open some daemons for the outside world, for example an > nameserver: > > pass in on gif0 inet6 proto { tcp, udp } from any to 2001:1638:17ad::3 > port 53 modulate state > > Let's try to connect to it know, from another box: > > $ telnet 2001:1638:17ad::3 53 > Trying 2001:1638:17ad::3... > Connected to 2001:1638:17ad::3. > Escape character is '^]'. > > That works just fine! Yay! However, if i try the same on the same box > running the named and the filter: > > $ telnet 2001:1638:17ad::3 53 > Trying 2001:1638:17ad::3... > > That's it. It's not possible, and i'm really frustrated for days now. > What is actually borked here? Let's have a look on the pflog0, what's > dropping: > > 15:26:35.983709 rule 1/0(match): block in on gif0: > 2001:1638:17ad::3.53 > 2001:1638:17ad::3.59761: tcp 40 [bad hdr > length 4 - too short, < 20] > > Hmm. Bad hdr lenght? What's up here? If i change the rule This really just is an artefact from a too short snaplen. Use -s 1500 and = you=20 get rid of it. The strange thing, however, is that this is the reply *from* port 53. So t= his=20 means the initial SYN got through alright. Can you check if a state has be= en=20 created (pfctl -vss) for that connection, please. I suspect that it has an= d=20 the problem would be that the reply doesn't match the state - for what ever= =20 reason. Please check if there is a state and let me know - thanks. > pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate > state > to > pass on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate state > > all works fine. But that's not what i want, of course. Can anyone give > me a clue what's wrong here? Please, it's driving me crazy! :-( > > I found one thing about the "bad hdr lenght" thing on the mailinglist, > but I'm not sure if it's related. And it's from 2005: > http://lists.freebsd.org/pipermail/freebsd-current/2005-November/057922.h= tm >l =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1241904.Y88FGmRPQu Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBEz4nzXyyEoT62BG0RAkg4AJ4kVmwAptqNDn8tx3tbJsGbvJ+ZpwCeIL8Y v8rTkhIDMfj/EvOi2zDD+Vg= =7/qX -----END PGP SIGNATURE----- --nextPart1241904.Y88FGmRPQu--