Date: Thu, 17 Apr 2003 18:43:39 -0500 (CDT) From: Kirk Strauser <kirk@strauser.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/51111: ipf doesn't allow outbound IPv6 packets until the rulesets are reloaded Message-ID: <200304172343.h3HNhd66000330@gopher.honeypot.net> Resent-Message-ID: <200304172350.h3HNoDA7057652@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 51111 >Category: kern >Synopsis: ipf doesn't allow outbound IPv6 packets until the rulesets are reloaded >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Apr 17 16:50:12 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Kirk Strauser >Release: FreeBSD 4.8-STABLE alpha >Organization: The Strauser Group >Environment: System: FreeBSD gopher.honeypot.net 4.8-STABLE FreeBSD 4.8-STABLE #0: Wed Apr 9 01:23:20 CDT 2003 root@gopher.honeypot.net:/usr/obj/usr/src/sys/GOPHER alpha The kernel is a slight variant of GENERIC with unneeded drivers commented out and only these additions: # Firewall options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK # Enhanced TCP security options RANDOM_IP_ID It was compiled with : CPUTYPE=ev4 CFLAGS= -O -pipe -mieee >Description: ipf doesn't seem to properly process IPv6 rules upon boot. I have a fairly simple ruleset that's loaded by /etc/rc.network when the machine starts: #### Loopback pass in quick on lo0 all head 2000 pass out quick on lo0 all head 2050 #### LAN block in log quick on fxp1 all head 2100 block out log quick on fxp1 all head 2150 #### WAN block in log quick on gif0 all head 2200 block out log quick on gif0 all head 2250 ######## Exceptions ######## #### LAN ## Inbound - group 2100 pass in quick all keep state group 2100 ## Outbound - group 2150 pass out quick all group 2150 #### WAN # Allow in certain ports pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a port = domain keep state group 2200 pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a port = http keep state group 2200 pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a port = smtp keep state group 2200 pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a port = ssh keep state group 2200 pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a port = pop3 keep state group 2200 pass in quick proto tcp from any to any port = auth keep state group 2200 pass in quick proto udp from any to any port = ntp keep state group 2200 pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a port = jabber-server keep state group 2200 pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a port = jabber-client keep state group 2200 pass in quick proto tcp/udp from any to any port = 6346 keep state group 2200 pass in quick proto ipv6-icmp all group 2200 ## Outbound - group 2250 pass out quick proto tcp/udp all keep state group 2250 pass out quick proto ipv6-icmp all group 2250 After loading, the kernel's ipf rule table looks like this: root@gopher:~# ipfstat -6io pass out quick on lo0 from any to any head 2050 block out log quick on fxp1 from any to any head 2150 pass out quick from any to any group 2150 block out log quick on gif0 from any to any head 2250 pass out quick proto tcp/udp from any to any keep state group 2250 pass out quick proto ipv6-icmp from any to any group 2250 pass in quick on lo0 from any to any head 2000 block in log quick on fxp1 from any to any head 2100 pass in quick from any to any keep state group 2100 block in log quick on gif0 from any to any head 2200 pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = domain keep state group 2200 pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 80 keep state group 2200 pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 25 keep state group 2200 pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 22 keep state group 2200 pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 110 keep state group 2200 pass in quick proto tcp from any to any port = 113 keep state group 2200 pass in quick proto udp from any to any port = 123 keep state group 2200 pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = jabber-server keep state group 2200 pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = jabber-client keep state group 2200 pass in quick proto tcp/udp from any to any port = 6346 keep state group 2200 pass in quick proto ipv6-icmp from any to any group 2200 The problem is that, despite the apparent correctness of the rules, I can't ping6 out from the server itself (although I *can* ping6 out from various Linux and FreeBSD hosts protected by this firewall): root@gopher:~# ping6 www.kame.net PING6(64=40+8+16 bytes) 3ffe:b80:2:614e::2 --> 3ffe:501:4819:2000:210:f3ff:fe03:4d0 ^C --- apple.kame.net ping6 statistics --- 34 packets transmitted, 0 packets received, 100% packet loss If I reload the rules: root@gopher:~# ipf -Fa -f /etc/ipf.rules -6 -Fa -f /etc/ipf6.rules then I have the exact same kernel rule table as before: root@gopher:~# ipfstat -6io pass out quick on lo0 from any to any head 2050 block out log quick on fxp1 from any to any head 2150 pass out quick from any to any group 2150 block out log quick on gif0 from any to any head 2250 pass out quick proto tcp/udp from any to any keep state group 2250 pass out quick proto ipv6-icmp from any to any group 2250 pass in quick on lo0 from any to any head 2000 block in log quick on fxp1 from any to any head 2100 pass in quick from any to any keep state group 2100 block in log quick on gif0 from any to any head 2200 pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = domain keep state group 2200 pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 80 keep state group 2200 pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 25 keep state group 2200 pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 22 keep state group 2200 pass in quick proto tcp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = 110 keep state group 2200 pass in quick proto tcp from any to any port = 113 keep state group 2200 pass in quick proto udp from any to any port = 123 keep state group 2200 pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = jabber-server keep state group 2200 pass in quick proto tcp/udp from any to 3ffe:b80:b8d:1:2d0:b7ff:fe0e:3a4a/128 port = jabber-client keep state group 2200 pass in quick proto tcp/udp from any to any port = 6346 keep state group 2200 pass in quick proto ipv6-icmp from any to any group 2200 ...except that now I *can* ping6 out from the machine: root@gopher:~# ping6 www.kame.net PING6(64=40+8+16 bytes) 3ffe:b80:2:614e::2 --> 3ffe:501:4819:2000:210:f3ff:fe03:4d0 24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=0 hlim=53 time=424.338 ms 24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=1 hlim=54 time=548.674 ms 24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=2 hlim=54 time=423.075 ms 24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=3 hlim=54 time=412.695 ms 24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=4 hlim=54 time=433.834 ms 24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=5 hlim=54 time=421.543 ms 24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=6 hlim=54 time=468.47 ms 24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=7 hlim=54 time=468.273 ms 24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=8 hlim=54 time=440.753 ms 24 bytes from 3ffe:501:4819:2000:210:f3ff:fe03:4d0, icmp_seq=9 hlim=54 time=417.928 ms ^C --- apple.kame.net ping6 statistics --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max/std-dev = 412.695/445.958/548.674/38.998 ms Although not detailed above, the same problem holds for outbound TCP/UDP connections; I can't telnet out until I reload the ruleset. Also interesting is that no entries appear in /var/log/ipf.log, although other correctly-blocked packets are logged as expected. >How-To-Repeat: Boot the machine and notice that it can't connect out via IPv6. Reload the ipf6.rules ruleset and connect out as expected. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304172343.h3HNhd66000330>