From owner-freebsd-pf@FreeBSD.ORG Tue Nov 18 16:51:14 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 45DD0851 for ; Tue, 18 Nov 2014 16:51:14 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2DB0033C for ; Tue, 18 Nov 2014 16:51:14 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id sAIGpEsh042575 for ; Tue, 18 Nov 2014 16:51:14 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 182401] [pf] pf state for some IPs reaches 4294967295 suspicously Date: Tue, 18 Nov 2014 16:51:14 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.1-RC2 X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: johan@300.nl X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2014 16:51:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182401 Johan Schuijt changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |johan@300.nl --- Comment #5 from Johan Schuijt --- I can confirm that we are seeing the same issues on both 10.0 and 10.1 on a DNS cluster. We've had to disable source-tracking to prevent random ip's from being blocked. When we clear the state tracking via pfcsl -FS a blocked IP immediately starts working again. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Tue Nov 18 19:19:19 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F0BD7BB9 for ; Tue, 18 Nov 2014 19:19:19 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D82D7762 for ; Tue, 18 Nov 2014 19:19:19 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id sAIJJJVM057654 for ; Tue, 18 Nov 2014 19:19:19 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 182401] [pf] pf state for some IPs reaches 4294967295 suspicously Date: Tue, 18 Nov 2014 19:19:19 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.1-RC2 X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: johan@300.nl X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2014 19:19:20 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182401 --- Comment #6 from johans --- The possible commit mentioned earlier in this thread only fixes counters for rules. When I take a look at 'sys/net/pfvar.h' in releng/10.1 the struct 'pf_src_node' is still a u_int32_t for states and conn here. Refactoring these and related code to counter_u64_t would probably fix this issue. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Thu Nov 20 10:05:57 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B172ADD3 for ; Thu, 20 Nov 2014 10:05:57 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9925EEF4 for ; Thu, 20 Nov 2014 10:05:57 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id sAKA5vM0066260 for ; Thu, 20 Nov 2014 10:05:57 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 182401] [pf] pf state for some IPs reaches 4294967295 suspicously Date: Thu, 20 Nov 2014 10:05:57 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.1-RC2 X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: johan@300.nl X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2014 10:05:57 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182401 --- Comment #7 from johans --- Created attachment 149638 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=149638&action=edit patch-races-pf-state-tracking.patch glebius@ was kind enough to send us his work in progress on this bug. We created a patch (attached) for ourselves which combines the use of counter(9) with the work done by glebius@. Now that these states are protected by the PF_STATE_LOCK the counter(9) changes are probably no longer needed, but leaving them in place definitely won't make things worse. For those looking to quickly fix this issue, we are running 10.1-RELEASE with this patch now and can confirm we are no longer seeing the problems at hand. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Sat Nov 22 09:20:11 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A164A874 for ; Sat, 22 Nov 2014 09:20:11 +0000 (UTC) Received: from mail.kulturflatrate.net (mail.kulturflatrate.net [46.163.119.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1D5548C7 for ; Sat, 22 Nov 2014 09:20:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.kulturflatrate.net (Postfix) with ESMTP id 6C66DF5AC0E2; Sat, 22 Nov 2014 10:13:24 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at kulturflatrate.net X-Spam-Flag: NO X-Spam-Score: -2.9 X-Spam-Level: X-Spam-Status: No, score=-2.9 required=6.31 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9] autolearn=ham Received: from mail.kulturflatrate.net ([127.0.0.1]) by localhost (mail.kulturflatrate.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mlFRIRRiHg1I; Sat, 22 Nov 2014 10:13:21 +0100 (CET) Received: from len-x61s.klaas (15.210.broadband18.iol.cz [109.81.210.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kulturflatrate.net (Postfix) with ESMTPSA id 96B2EF5AC04A; Sat, 22 Nov 2014 10:13:21 +0100 (CET) Received: by len-x61s.klaas (Postfix, from userid 1000) id 5CF00E05B0; Sat, 22 Nov 2014 10:14:26 +0100 (CET) Date: Sat, 22 Nov 2014 10:14:26 +0100 From: Niklaas Baudet von Gersdorff To: freebsd-pf@freebsd.org Subject: Configuring PF with Jails only having IPv6 Message-ID: <20141122091426.GA2833@len-x61s.klaas> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-PGP-Key: http://www.kulturflatrate.net/niklaas/niklaas-baudet-von-gersdorff.asc User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2014 09:20:11 -0000 Dear list members, I have been struggling to properly set-up PF for some days. I am renting a root server that has one public IPv4 address and a /64 IPv6 subnet. It is the first time that I am using FreeBSD 10. I got attracted by the jails concept and successfully set-up the root server itself as well as one jail with ezjail using one IPv6 address. It is possible to connect to the jail via SSH when PF is _disabled_. The network configuration looks as follows. I censored some information. The information that is censored is explained after each output: # ifconfig re0: flags=8843 metric 0 mtu 1500 options=8209b ether [# MAC address] inet [#1 ] netmask 0xffffffff broadcast [#2 ] inet6 fe80::6e62:6dff:fe60:74fb%re0 prefixlen 64 scopeid 0x1 inet6 [#3 ] prefixlen 64 inet6 [#4 ] prefixlen 64 nd6 options=8021 media: Ethernet autoselect (1000baseT ) status: active lo0: flags=8049 metric 0 mtu 16384 options=600003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 pflog0: flags=141 metric 0 mtu 33160 [#1] = IPv4 address of root server [#2] = IPv4 address of root server's gateway [#3] = IPv6 address of root server [#4] = IPv6 address of jail # netstat -r Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default static.[#2] UGS 0 110615 re0 localhost link#2 UH 0 1614 lo0 static.[#2] [some MAC address] UHS 0 0 re0 static.[#1] link#1 UHS 0 8898 lo0 => [#4 ]/32 link#1 U 0 0 re0 Internet6: Destination Gateway Flags Netif Expire :: localhost UGRS lo0 => default fe80::1%re0 UGS re0 localhost link#2 UH lo0 ::ffff:0.0.0.0 localhost UGRS lo0 [#3 ] link#1 U re0 [#3 ] link#1 UHS lo0 [#3 ] link#1 UHS lo0 [#3 ] link#1 UHS lo0 fe80:: localhost UGRS lo0 fe80::%re0 link#1 U re0 fe80::6e62:6dff:fe link#1 UHS lo0 fe80::%lo0 link#2 U lo0 fe80::1%lo0 link#2 UHS lo0 ff01::%re0 fe80::6e62:6dff:fe U re0 ff01::%lo0 localhost U lo0 ff02:: localhost UGRS lo0 ff02::%re0 fe80::6e62:6dff:fe U re0 ff02::%lo0 localhost U lo0 [#1] = IPv4 address of the root server in reverse order [#2] = IPv4 address of the gateway of the root server in reverse order [#3] = IPv6 subnet [#4] = IPv4 address of the root server The network configuration is taken from http://wiki.hetzner.de/index.php/FreeBSD_installieren/en#IPv6 and provided by the provider where I am renting the root server which results in the following configuration in `/etc/rc.conf`: ifconfig_re0="inet [#1 ]/32" gateway_if="re0" gateway_ip="[#2 ]" static_routes="gateway default" route_gateway="-host $gateway_ip -interface $gateway_if" route_default="default $gateway_ip" ipv6_default_interface="re0" ifconfig_re0_ipv6="[#3 ]/64" # set a static local interface-route ipv6_defaultrouter="fe80::1%re0" ifconfig_re0_alias0="inet6 [#4 ]/64" [#1] = IPv4 address of the root server [#2] = IPv4 address of the gateway of the root server [#3] = IPv6 address of the root server [#4] = IPv6 address of the jail The following configuration I basically took from pf.conf(5): # pfctl -vnf /etc/pf.conf ext_if = "re0" services = "{ ssh }" table persist { [#1] [#2] [#3] } set skip on { lo0 } scrub in on re0 all fragment reassemble block return log on re0 all block drop in from no-route to any block drop in from urpf-failed to any block drop out log quick on re0 from ! to any block drop in quick on re0 inet from any to 255.255.255.255 block drop in log quick on re0 inet from 10.0.0.0/8 to any block drop in log quick on re0 inet from 172.16.0.0/12 to any block drop in log quick on re0 inet from 192.168.0.0/16 to any block drop in log quick on re0 inet from 255.255.255.255 to any pass out on re0 proto udp all keep state pass in on re0 proto udp from any to any port = domain keep state pass on re0 inet proto icmp all icmp-type echoreq code 0 keep state pass out on re0 proto tcp all flags S/SA modulate state pass in on re0 proto tcp from any to any port = ssh flags S/SA keep state block drop in on re0 proto tcp from any os "nomatch" to any port = smtp [#1] = IPv4 address of the root server [#2] = IPv6 address of the root server [#2] = IPv6 address of the jail As a start I would like to block everything and only open the SSH port so that I can connect to the root server itself as well as the jails that I set-up. Although I did lots of research on the web, I haven't found any solution to connect to the jail while PF is enabled yet. I guess this comes from the somehow "weird" set-up of the routing in `/etc/rc.conf` and the fact that I do not understand it. The following excerpt is from `pflog0` which I get when I try to connect to the jail via SSH. 00:00:01.043975 rule 0..16777216/0(match): block out on re0: (hlim 255, next-header ICMPv6 (58) payload length: 32) [#1 ] > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1 source link-address option (1), length 8 (1): [# MAC address ] [#1] = IPv6 address of jail So it looks like ICMPv6 traffic is blocked but I am not sure about this. Maybe I also need to add the "routing information" to PF's configuration but I do not know how to do this. Any help is very much appreciated. Best, -- Niklaas Baudet von Gersdorff niklaas@kulturflatrate.net http://www.twitter.com/NBvGersdorff http://www.kulturflatrate.net/niklaas From owner-freebsd-pf@FreeBSD.ORG Sat Nov 22 12:56:06 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ADF9DAD6 for ; Sat, 22 Nov 2014 12:56:06 +0000 (UTC) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0728.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::728]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 16298DC4 for ; Sat, 22 Nov 2014 12:56:05 +0000 (UTC) Received: from AM3PR02MB0391.eurprd02.prod.outlook.com (25.160.3.150) by AM3PR02MB0391.eurprd02.prod.outlook.com (25.160.3.150) with Microsoft SMTP Server (TLS) id 15.1.26.15; Sat, 22 Nov 2014 12:55:41 +0000 Received: from AM3PR02MB0391.eurprd02.prod.outlook.com ([25.160.3.150]) by AM3PR02MB0391.eurprd02.prod.outlook.com ([25.160.3.150]) with mapi id 15.01.0026.003; Sat, 22 Nov 2014 12:55:41 +0000 From: Robin Geuze To: Niklaas Baudet von Gersdorff Subject: Re: Configuring PF with Jails only having IPv6 Thread-Topic: Configuring PF with Jails only having IPv6 Thread-Index: AQHQBlOefg6o8MvzhEywGxgiTfeD5Q== Date: Sat, 22 Nov 2014 12:55:41 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [94.209.210.57] x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:AM3PR02MB0391; x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:AM3PR02MB0391; x-forefront-prvs: 040359335D x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(24454002)(199003)(189002)(54206007)(92566001)(101416001)(99396003)(16799955002)(54356999)(50986999)(33656002)(97736003)(120916001)(74316001)(15975445006)(74482002)(46102003)(19580395003)(19580405001)(87936001)(31966008)(4396001)(92726001)(122556002)(54606007)(77096003)(62966003)(2656002)(16236675004)(86362001)(40100003)(20776003)(64706001)(77156002)(19617315012)(110136001)(21056001)(106356001)(105586002)(107046002)(66066001)(76576001)(15202345003)(95666004)(106116001); DIR:OUT; SFP:1102; SCL:1; SRVR:AM3PR02MB0391; H:AM3PR02MB0391.eurprd02.prod.outlook.com; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; MIME-Version: 1.0 X-OriginatorOrg: transip.nl Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2014 12:56:06 -0000 SVB2NiB1c2VzIGljbXA2IHRvIHRycW5zbWl0IG5kcCBwYWNrZXRzLiBOZHAgaXMgYmFzaWNhbGx5 IHRoZSBpcHY2IHZlcnNpb24gb2YgYXJwLiBCYXNlZCBvbiB5b3VyIHBhY2tldCBkdW1wIGl0IHNl ZW1zIHlvdXIgc2VydmVyIGlzIHRyeWluZyB0byBmaWd1cmUgb3V0IHRoZSBtYWMgYWRkcmVzcyBm b3IgdGhlIHJvdXRlciBmb3IgaXB2NiBidXQgaXMgZGlzYWxsb3dlZCBieSB5b3VyIHBmIHJ1bGVz LiAicGFzcyBpbiBxdWljayBpY21wNiBmcm9tIGFueSB0byBhbnkiIGFuZCAicGFzcyBvdXQgcXVp Y2sgaWNtcDYgZnJvbSBhbnkgdG8gYW55IiBzaG91bGQgZml4IHlvdXIgcHJvYmxlbS4NCg0KT24g MjIgTm92IDIwMTQgMTA6MjAsIE5pa2xhYXMgQmF1ZGV0IHZvbiBHZXJzZG9yZmYgPG5pa2xhYXNA a3VsdHVyZmxhdHJhdGUubmV0PiB3cm90ZToNCkRlYXIgbGlzdCBtZW1iZXJzLA0KDQpJIGhhdmUg YmVlbiBzdHJ1Z2dsaW5nIHRvIHByb3Blcmx5IHNldC11cCBQRiBmb3Igc29tZSBkYXlzLiBJIGFt IHJlbnRpbmcNCmEgcm9vdCBzZXJ2ZXIgdGhhdCBoYXMgb25lIHB1YmxpYyBJUHY0IGFkZHJlc3Mg YW5kIGEgLzY0IElQdjYgc3VibmV0LiBJdA0KaXMgdGhlIGZpcnN0IHRpbWUgdGhhdCBJIGFtIHVz aW5nIEZyZWVCU0QgMTAuIEkgZ290IGF0dHJhY3RlZCBieSB0aGUNCmphaWxzIGNvbmNlcHQgYW5k IHN1Y2Nlc3NmdWxseSBzZXQtdXAgdGhlIHJvb3Qgc2VydmVyIGl0c2VsZiBhcyB3ZWxsIGFzDQpv bmUgamFpbCB3aXRoIGV6amFpbCB1c2luZyBvbmUgSVB2NiBhZGRyZXNzLiBJdCBpcyBwb3NzaWJs ZSB0byBjb25uZWN0DQp0byB0aGUgamFpbCB2aWEgU1NIIHdoZW4gUEYgaXMgX2Rpc2FibGVkXy4N Cg0KVGhlIG5ldHdvcmsgY29uZmlndXJhdGlvbiBsb29rcyBhcyBmb2xsb3dzLiBJIGNlbnNvcmVk IHNvbWUNCmluZm9ybWF0aW9uLiBUaGUgaW5mb3JtYXRpb24gdGhhdCBpcyBjZW5zb3JlZCBpcyBl eHBsYWluZWQgYWZ0ZXIgZWFjaA0Kb3V0cHV0Og0KDQogICAgIyBpZmNvbmZpZw0KICAgIHJlMDog ZmxhZ3M9ODg0MzxVUCxCUk9BRENBU1QsUlVOTklORyxTSU1QTEVYLE1VTFRJQ0FTVD4gbWV0cmlj IDAgbXR1IDE1MDANCiAgICAgICAgICAgIG9wdGlvbnM9ODIwOWI8UlhDU1VNLFRYQ1NVTSxWTEFO X01UVSxWTEFOX0hXVEFHR0lORyxWTEFOX0hXQ1NVTSxXT0xfTUFHSUMsTElOS1NUQVRFPg0KICAg ICAgICAgICAgZXRoZXIgWyMgTUFDIGFkZHJlc3NdDQogICAgICAgICAgICBpbmV0IFsjMSAgICAg ICAgXSBuZXRtYXNrIDB4ZmZmZmZmZmYgYnJvYWRjYXN0IFsjMiAgICAgICAgXQ0KICAgICAgICAg ICAgaW5ldDYgZmU4MDo6NmU2Mjo2ZGZmOmZlNjA6NzRmYiVyZTAgcHJlZml4bGVuIDY0IHNjb3Bl aWQgMHgxDQogICAgICAgICAgICBpbmV0NiBbIzMgICAgICAgICAgICAgICAgICBdIHByZWZpeGxl biA2NA0KICAgICAgICAgICAgaW5ldDYgWyM0ICAgICAgICAgICAgICAgICAgXSBwcmVmaXhsZW4g NjQNCiAgICAgICAgICAgIG5kNiBvcHRpb25zPTgwMjE8UEVSRk9STU5VRCxBVVRPX0xJTktMT0NB TCxERUZBVUxUSUY+DQogICAgICAgICAgICBtZWRpYTogRXRoZXJuZXQgYXV0b3NlbGVjdCAoMTAw MGJhc2VUIDxmdWxsLWR1cGxleD4pDQogICAgICAgICAgICBzdGF0dXM6IGFjdGl2ZQ0KICAgIGxv MDogZmxhZ3M9ODA0OTxVUCxMT09QQkFDSyxSVU5OSU5HLE1VTFRJQ0FTVD4gbWV0cmljIDAgbXR1 IDE2Mzg0DQogICAgICAgICAgICBvcHRpb25zPTYwMDAwMzxSWENTVU0sVFhDU1VNLFJYQ1NVTV9J UFY2LFRYQ1NVTV9JUFY2Pg0KICAgICAgICAgICAgaW5ldDYgOjoxIHByZWZpeGxlbiAxMjgNCiAg ICAgICAgICAgIGluZXQ2IGZlODA6OjElbG8wIHByZWZpeGxlbiA2NCBzY29wZWlkIDB4Mg0KICAg ICAgICAgICAgaW5ldCAxMjcuMC4wLjEgbmV0bWFzayAweGZmMDAwMDAwDQogICAgICAgICAgICBu ZDYgb3B0aW9ucz0yMTxQRVJGT1JNTlVELEFVVE9fTElOS0xPQ0FMPg0KICAgIHBmbG9nMDogZmxh Z3M9MTQxPFVQLFJVTk5JTkcsUFJPTUlTQz4gbWV0cmljIDAgbXR1IDMzMTYwDQoNClsjMV0gPSBJ UHY0IGFkZHJlc3Mgb2Ygcm9vdCBzZXJ2ZXINClsjMl0gPSBJUHY0IGFkZHJlc3Mgb2Ygcm9vdCBz ZXJ2ZXIncyBnYXRld2F5DQpbIzNdID0gSVB2NiBhZGRyZXNzIG9mIHJvb3Qgc2VydmVyDQpbIzRd ID0gSVB2NiBhZGRyZXNzIG9mIGphaWwNCg0KICAgICMgbmV0c3RhdCAtcg0KICAgIFJvdXRpbmcg dGFibGVzDQoNCiAgICBJbnRlcm5ldDoNCiAgICBEZXN0aW5hdGlvbiAgICAgICAgR2F0ZXdheSAg ICAgICAgICAgIEZsYWdzICAgIFJlZnMgICAgICBVc2UgIE5ldGlmIEV4cGlyZQ0KICAgIGRlZmF1 bHQgICAgICAgICAgICBzdGF0aWMuWyMyXSAgICAgICAgVUdTICAgICAgICAgMCAgIDExMDYxNSAg ICByZTANCiAgICBsb2NhbGhvc3QgICAgICAgICAgbGluayMyICAgICAgICAgICAgIFVIICAgICAg ICAgIDAgICAgIDE2MTQgICAgbG8wDQogICAgc3RhdGljLlsjMl0gICAgICAgIFtzb21lIE1BQyBh ZGRyZXNzXSBVSFMgICAgICAgICAwICAgICAgICAwICAgIHJlMA0KICAgIHN0YXRpYy5bIzFdICAg ICAgICBsaW5rIzEgICAgICAgICAgICAgVUhTICAgICAgICAgMCAgICAgODg5OCAgICBsbzAgPT4N CiAgICBbIzQgICAgICAgIF0vMzIgICAgbGluayMxICAgICAgICAgICAgIFUgICAgICAgICAgIDAg ICAgICAgIDAgICAgcmUwDQoNCiAgICBJbnRlcm5ldDY6DQogICAgRGVzdGluYXRpb24gICAgICAg IEdhdGV3YXkgICAgICAgICAgICBGbGFncyAgICAgIE5ldGlmIEV4cGlyZQ0KICAgIDo6ICAgICAg ICAgICAgICAgICBsb2NhbGhvc3QgICAgICAgICAgVUdSUyAgICAgICAgbG8wID0+DQogICAgZGVm YXVsdCAgICAgICAgICAgIGZlODA6OjElcmUwICAgICAgICBVR1MgICAgICAgICByZTANCiAgICBs b2NhbGhvc3QgICAgICAgICAgbGluayMyICAgICAgICAgICAgIFVIICAgICAgICAgIGxvMA0KICAg IDo6ZmZmZjowLjAuMC4wICAgICBsb2NhbGhvc3QgICAgICAgICAgVUdSUyAgICAgICAgbG8wDQog ICAgWyMzICAgICAgICAgICAgICBdIGxpbmsjMSAgICAgICAgICAgICBVICAgICAgICAgICByZTAN CiAgICBbIzMgICAgICAgICAgICAgIF0gbGluayMxICAgICAgICAgICAgIFVIUyAgICAgICAgIGxv MA0KICAgIFsjMyAgICAgICAgICAgICAgXSBsaW5rIzEgICAgICAgICAgICAgVUhTICAgICAgICAg bG8wDQogICAgWyMzICAgICAgICAgICAgICBdIGxpbmsjMSAgICAgICAgICAgICBVSFMgICAgICAg ICBsbzANCiAgICBmZTgwOjogICAgICAgICAgICAgbG9jYWxob3N0ICAgICAgICAgIFVHUlMgICAg ICAgIGxvMA0KICAgIGZlODA6OiVyZTAgICAgICAgICBsaW5rIzEgICAgICAgICAgICAgVSAgICAg ICAgICAgcmUwDQogICAgZmU4MDo6NmU2Mjo2ZGZmOmZlIGxpbmsjMSAgICAgICAgICAgICBVSFMg ICAgICAgICBsbzANCiAgICBmZTgwOjolbG8wICAgICAgICAgbGluayMyICAgICAgICAgICAgIFUg ICAgICAgICAgIGxvMA0KICAgIGZlODA6OjElbG8wICAgICAgICBsaW5rIzIgICAgICAgICAgICAg VUhTICAgICAgICAgbG8wDQogICAgZmYwMTo6JXJlMCAgICAgICAgIGZlODA6OjZlNjI6NmRmZjpm ZSBVICAgICAgICAgICByZTANCiAgICBmZjAxOjolbG8wICAgICAgICAgbG9jYWxob3N0ICAgICAg ICAgIFUgICAgICAgICAgIGxvMA0KICAgIGZmMDI6OiAgICAgICAgICAgICBsb2NhbGhvc3QgICAg ICAgICAgVUdSUyAgICAgICAgbG8wDQogICAgZmYwMjo6JXJlMCAgICAgICAgIGZlODA6OjZlNjI6 NmRmZjpmZSBVICAgICAgICAgICByZTANCiAgICBmZjAyOjolbG8wICAgICAgICAgbG9jYWxob3N0 ICAgICAgICAgIFUgICAgICAgICAgIGxvMA0KDQoNClsjMV0gPSBJUHY0IGFkZHJlc3Mgb2YgdGhl IHJvb3Qgc2VydmVyIGluIHJldmVyc2Ugb3JkZXINClsjMl0gPSBJUHY0IGFkZHJlc3Mgb2YgdGhl IGdhdGV3YXkgb2YgdGhlIHJvb3Qgc2VydmVyIGluIHJldmVyc2Ugb3JkZXINClsjM10gPSBJUHY2 IHN1Ym5ldA0KWyM0XSA9IElQdjQgYWRkcmVzcyBvZiB0aGUgcm9vdCBzZXJ2ZXINCg0KVGhlIG5l dHdvcmsgY29uZmlndXJhdGlvbiBpcyB0YWtlbiBmcm9tDQoNCiAgICBodHRwOi8vd2lraS5oZXR6 bmVyLmRlL2luZGV4LnBocC9GcmVlQlNEX2luc3RhbGxpZXJlbi9lbiNJUHY2DQoNCmFuZCBwcm92 aWRlZCBieSB0aGUgcHJvdmlkZXIgd2hlcmUgSSBhbSByZW50aW5nIHRoZSByb290IHNlcnZlciB3 aGljaA0KcmVzdWx0cyBpbiB0aGUgZm9sbG93aW5nIGNvbmZpZ3VyYXRpb24gaW4gYC9ldGMvcmMu Y29uZmA6DQoNCiAgICBpZmNvbmZpZ19yZTA9ImluZXQgWyMxICAgICAgICBdLzMyIg0KICAgIGdh dGV3YXlfaWY9InJlMCINCiAgICBnYXRld2F5X2lwPSJbIzIgICAgICAgIF0iDQogICAgc3RhdGlj X3JvdXRlcz0iZ2F0ZXdheSBkZWZhdWx0Ig0KICAgIHJvdXRlX2dhdGV3YXk9Ii1ob3N0ICRnYXRl d2F5X2lwIC1pbnRlcmZhY2UgJGdhdGV3YXlfaWYiDQogICAgcm91dGVfZGVmYXVsdD0iZGVmYXVs dCAkZ2F0ZXdheV9pcCINCg0KICAgIGlwdjZfZGVmYXVsdF9pbnRlcmZhY2U9InJlMCINCiAgICBp ZmNvbmZpZ19yZTBfaXB2Nj0iWyMzICAgICAgICAgICAgICAgICAgXS82NCINCiAgICAjIHNldCBh IHN0YXRpYyBsb2NhbCBpbnRlcmZhY2Utcm91dGUNCiAgICBpcHY2X2RlZmF1bHRyb3V0ZXI9ImZl ODA6OjElcmUwIg0KDQogICAgaWZjb25maWdfcmUwX2FsaWFzMD0iaW5ldDYgWyM0ICAgICAgICAg ICAgICAgICAgXS82NCINCg0KWyMxXSA9IElQdjQgYWRkcmVzcyBvZiB0aGUgcm9vdCBzZXJ2ZXIN ClsjMl0gPSBJUHY0IGFkZHJlc3Mgb2YgdGhlIGdhdGV3YXkgb2YgdGhlIHJvb3Qgc2VydmVyDQpb IzNdID0gSVB2NiBhZGRyZXNzIG9mIHRoZSByb290IHNlcnZlcg0KWyM0XSA9IElQdjYgYWRkcmVz cyBvZiB0aGUgamFpbA0KDQpUaGUgZm9sbG93aW5nIGNvbmZpZ3VyYXRpb24gSSBiYXNpY2FsbHkg dG9vayBmcm9tIHBmLmNvbmYoNSk6DQoNCiAgICAjIHBmY3RsIC12bmYgL2V0Yy9wZi5jb25mDQog ICAgZXh0X2lmID0gInJlMCINCiAgICBzZXJ2aWNlcyA9ICJ7IHNzaCB9Ig0KICAgIHRhYmxlIDxj bGllbnRzPiBwZXJzaXN0IHsgWyMxXSBbIzJdIFsjM10gfQ0KICAgIHNldCBza2lwIG9uIHsgbG8w IH0NCiAgICBzY3J1YiBpbiBvbiByZTAgYWxsIGZyYWdtZW50IHJlYXNzZW1ibGUNCiAgICBibG9j ayByZXR1cm4gbG9nIG9uIHJlMCBhbGwNCiAgICBibG9jayBkcm9wIGluIGZyb20gbm8tcm91dGUg dG8gYW55DQogICAgYmxvY2sgZHJvcCBpbiBmcm9tIHVycGYtZmFpbGVkIHRvIGFueQ0KICAgIGJs b2NrIGRyb3Agb3V0IGxvZyBxdWljayBvbiByZTAgZnJvbSAhIDxjbGllbnRzPiB0byBhbnkNCiAg ICBibG9jayBkcm9wIGluIHF1aWNrIG9uIHJlMCBpbmV0IGZyb20gYW55IHRvIDI1NS4yNTUuMjU1 LjI1NQ0KICAgIGJsb2NrIGRyb3AgaW4gbG9nIHF1aWNrIG9uIHJlMCBpbmV0IGZyb20gMTAuMC4w LjAvOCB0byBhbnkNCiAgICBibG9jayBkcm9wIGluIGxvZyBxdWljayBvbiByZTAgaW5ldCBmcm9t IDE3Mi4xNi4wLjAvMTIgdG8gYW55DQogICAgYmxvY2sgZHJvcCBpbiBsb2cgcXVpY2sgb24gcmUw IGluZXQgZnJvbSAxOTIuMTY4LjAuMC8xNiB0byBhbnkNCiAgICBibG9jayBkcm9wIGluIGxvZyBx dWljayBvbiByZTAgaW5ldCBmcm9tIDI1NS4yNTUuMjU1LjI1NSB0byBhbnkNCiAgICBwYXNzIG91 dCBvbiByZTAgcHJvdG8gdWRwIGFsbCBrZWVwIHN0YXRlDQogICAgcGFzcyBpbiBvbiByZTAgcHJv dG8gdWRwIGZyb20gYW55IHRvIGFueSBwb3J0ID0gZG9tYWluIGtlZXAgc3RhdGUNCiAgICBwYXNz IG9uIHJlMCBpbmV0IHByb3RvIGljbXAgYWxsIGljbXAtdHlwZSBlY2hvcmVxIGNvZGUgMCBrZWVw IHN0YXRlDQogICAgcGFzcyBvdXQgb24gcmUwIHByb3RvIHRjcCBhbGwgZmxhZ3MgUy9TQSBtb2R1 bGF0ZSBzdGF0ZQ0KICAgIHBhc3MgaW4gb24gcmUwIHByb3RvIHRjcCBmcm9tIGFueSB0byBhbnkg cG9ydCA9IHNzaCBmbGFncyBTL1NBIGtlZXAgc3RhdGUNCiAgICBibG9jayBkcm9wIGluIG9uIHJl MCBwcm90byB0Y3AgZnJvbSBhbnkgb3MgIm5vbWF0Y2giIHRvIGFueSBwb3J0ID0gc210cA0KDQpb IzFdID0gSVB2NCBhZGRyZXNzIG9mIHRoZSByb290IHNlcnZlcg0KWyMyXSA9IElQdjYgYWRkcmVz cyBvZiB0aGUgcm9vdCBzZXJ2ZXINClsjMl0gPSBJUHY2IGFkZHJlc3Mgb2YgdGhlIGphaWwNCg0K QXMgYSBzdGFydCBJIHdvdWxkIGxpa2UgdG8gYmxvY2sgZXZlcnl0aGluZyBhbmQgb25seSBvcGVu IHRoZSBTU0ggcG9ydA0Kc28gdGhhdCBJIGNhbiBjb25uZWN0IHRvIHRoZSByb290IHNlcnZlciBp dHNlbGYgYXMgd2VsbCBhcyB0aGUgamFpbHMNCnRoYXQgSSBzZXQtdXAuDQoNCkFsdGhvdWdoIEkg ZGlkIGxvdHMgb2YgcmVzZWFyY2ggb24gdGhlIHdlYiwgSSBoYXZlbid0IGZvdW5kIGFueSBzb2x1 dGlvbg0KdG8gY29ubmVjdCB0byB0aGUgamFpbCB3aGlsZSBQRiBpcyBlbmFibGVkIHlldC4gSSBn dWVzcyB0aGlzIGNvbWVzIGZyb20NCnRoZSBzb21laG93ICJ3ZWlyZCIgc2V0LXVwIG9mIHRoZSBy b3V0aW5nIGluIGAvZXRjL3JjLmNvbmZgIGFuZCB0aGUgZmFjdA0KdGhhdCBJIGRvIG5vdCB1bmRl cnN0YW5kIGl0LiBUaGUgZm9sbG93aW5nIGV4Y2VycHQgaXMgZnJvbSBgcGZsb2cwYA0Kd2hpY2gg SSBnZXQgd2hlbiBJIHRyeSB0byBjb25uZWN0IHRvIHRoZSBqYWlsIHZpYSBTU0guDQoNCg0KICAg IDAwOjAwOjAxLjA0Mzk3NSBydWxlIDAuLjE2Nzc3MjE2LzAobWF0Y2gpOiBibG9jayBvdXQgb24g cmUwOiAoaGxpbSAyNTUsIG5leHQtaGVhZGVyIElDTVB2NiAoNTgpIHBheWxvYWQgbGVuZ3RoOiAz MikgWyMxICAgICAgICAgICAgICAgICAgXSA+IGZmMDI6OjE6ZmYwMDoxOiBbaWNtcDYgc3VtIG9r XSBJQ01QNiwgbmVpZ2hib3Igc29saWNpdGF0aW9uLCBsZW5ndGggMzIsIHdobyBoYXMgZmU4MDo6 MQ0KICAgICAgICAgICAgICBzb3VyY2UgbGluay1hZGRyZXNzIG9wdGlvbiAoMSksIGxlbmd0aCA4 ICgxKTogWyMgTUFDIGFkZHJlc3MgIF0NCg0KWyMxXSA9IElQdjYgYWRkcmVzcyBvZiBqYWlsDQoN ClNvIGl0IGxvb2tzIGxpa2UgSUNNUHY2IHRyYWZmaWMgaXMgYmxvY2tlZCBidXQgSSBhbSBub3Qg c3VyZSBhYm91dCB0aGlzLg0KTWF5YmUgSSBhbHNvIG5lZWQgdG8gYWRkIHRoZSAicm91dGluZyBp bmZvcm1hdGlvbiIgdG8gUEYncyBjb25maWd1cmF0aW9uDQpidXQgSSBkbyBub3Qga25vdyBob3cg dG8gZG8gdGhpcy4NCg0KQW55IGhlbHAgaXMgdmVyeSBtdWNoIGFwcHJlY2lhdGVkLg0KDQpCZXN0 LA0KDQotLQ0KTmlrbGFhcw0KDQpCYXVkZXQgdm9uIEdlcnNkb3JmZg0KbmlrbGFhc0BrdWx0dXJm bGF0cmF0ZS5uZXQNCg0KaHR0cDovL3d3dy50d2l0dGVyLmNvbS9OQnZHZXJzZG9yZmYNCmh0dHA6 Ly93d3cua3VsdHVyZmxhdHJhdGUubmV0L25pa2xhYXMNCl9fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fDQpmcmVlYnNkLXBmQGZyZWVic2Qub3JnIG1haWxpbmcg bGlzdA0KaHR0cDovL2xpc3RzLmZyZWVic2Qub3JnL21haWxtYW4vbGlzdGluZm8vZnJlZWJzZC1w Zg0KVG8gdW5zdWJzY3JpYmUsIHNlbmQgYW55IG1haWwgdG8gImZyZWVic2QtcGYtdW5zdWJzY3Jp YmVAZnJlZWJzZC5vcmciDQo= From owner-freebsd-pf@FreeBSD.ORG Sat Nov 22 14:26:02 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2FA81A15 for ; Sat, 22 Nov 2014 14:26:02 +0000 (UTC) Received: from mario.brtsvcs.net (mario.brtsvcs.net [199.48.128.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0386081E for ; Sat, 22 Nov 2014 14:26:01 +0000 (UTC) Received: from chombo.houseloki.net (c-71-59-211-166.hsd1.or.comcast.net [71.59.211.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mario.brtsvcs.net (Postfix) with ESMTPSA id 9F63D2C160F; Sat, 22 Nov 2014 14:25:53 +0000 (UTC) Received: from [IPv6:2601:7:2580:674:baca:3aff:fe83:bd29] (ivy.libssl.so [IPv6:2601:7:2580:674:baca:3aff:fe83:bd29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by chombo.houseloki.net (Postfix) with ESMTPSA id 4DF1B1076; Sat, 22 Nov 2014 06:25:51 -0800 (PST) Message-ID: <54709CEE.2090800@bluerosetech.com> Date: Sat, 22 Nov 2014 06:25:50 -0800 From: Darren Pilgrim Reply-To: "freebsd-pf@freebsd.org" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Robin Geuze , Niklaas Baudet von Gersdorff Subject: Re: Configuring PF with Jails only having IPv6 References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2014 14:26:02 -0000 On 11/22/2014 4:55 AM, Robin Geuze wrote: > IPv6 uses icmp6 to trqnsmit ndp packets. Ndp is basically the ipv6 > version of arp. Based on your packet dump it seems your server is > trying to figure out the mac address for the router for ipv6 but is > disallowed by your pf rules. "pass in quick icmp6 from any to any" > and "pass out quick icmp6 from any to any" should fix your problem. Or just "pass quick icmp6 from any to any". You should limit the types, though. See RFC 4890. In short, allow types 1, 2, 3, 4, 128, 129, 135, and 136 universally. If you use router advertisements, add types 133 and 134.