From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 24 11:06:44 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AB4D8671 for ; Mon, 24 Dec 2012 11:06:44 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 8F34B8FC1F for ; Mon, 24 Dec 2012 11:06:44 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qBOB6iUc066064 for ; Mon, 24 Dec 2012 11:06:44 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qBOB6iuW066062 for freebsd-ipfw@FreeBSD.org; Mon, 24 Dec 2012 11:06:44 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 24 Dec 2012 11:06:44 GMT Message-Id: <201212241106.qBOB6iuW066062@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Dec 2012 11:06:44 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/169206 ipfw [ipfw] ipfw does not flush entries in table o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165939 ipfw [ipw] bug: incomplete firewall rules loaded if tables o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking f kern/163873 ipfw [ipfw] ipfw fwd does not work with 'via interface' in o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o bin/65961 ipfw [ipfw] ipfw2 memory corruption inside add() o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 46 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 25 14:58:13 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0DAC0C8E for ; Tue, 25 Dec 2012 14:58:13 +0000 (UTC) (envelope-from fabian@wenks.ch) Received: from batman.home4u.ch (batman.home4u.ch [IPv6:2001:8a8:1005:1::2]) by mx1.freebsd.org (Postfix) with ESMTP id 8C0DF8FC0A for ; Tue, 25 Dec 2012 14:58:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at home4u.ch Received: from flashback.wenks.ch (fabian@flashback.wenks.ch [IPv6:2001:8a8:1005:1:223:dfff:fedf:13c9]) (authenticated bits=0) by batman.home4u.ch (8.14.4/8.14.4) with ESMTP id qBPEw9gL066465 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 25 Dec 2012 15:58:09 +0100 (CET) (envelope-from fabian@wenks.ch) Message-ID: <50D9BF00.7050507@wenks.ch> Date: Tue, 25 Dec 2012 15:58:08 +0100 From: Fabian Wenk User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: IPv6 addresses in tables not always working Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Dec 2012 14:58:13 -0000 Hello To test tables with IPv6 for use with fail2ban (see thread "IPv6 Support" [1]), I tried it out on a FreeBSD 9.1-RELEASE (r244668) system. Not all possible rules with tables which include IPv6 addresses seem to work. [1] http://sourceforge.net/mailarchive/message.php?msg_id=29387087 For fail2ban it will both be possible, using mixed tables with IPv4 and IPv6 addresses and separate tables with only IPv4 or IPv6 addresses. So I tried a few variants. First I created 3 different tables (IPv4 only, IPv6 only, IPv4 and IPv6 mixed), this worked so far: root@freebsd9:~ # ipfw table 4 add 62.12.173.3 root@freebsd9:~ # ipfw table 4 add 62.2.85.180 root@freebsd9:~ # ipfw table 4 add 62.2.85.186 root@freebsd9:~ # ipfw table 4 list 62.2.85.180/32 0 62.2.85.186/32 0 62.12.173.3/32 0 root@freebsd9:~ # root@freebsd9:~ # ipfw table 6 add 2001:8a8:1005:1::3 root@freebsd9:~ # ipfw table 6 add 2001:8a8:1005:2::180 root@freebsd9:~ # ipfw table 6 add 2001:8a8:1005:2::186 root@freebsd9:~ # ipfw table 6 list 2001:8a8:1005:1::3/128 0 2001:8a8:1005:2::180/128 0 2001:8a8:1005:2::186/128 0 root@freebsd9:~ # root@freebsd9:~ # ipfw table 46 add 62.12.173.3 root@freebsd9:~ # ipfw table 46 add 62.2.85.180 root@freebsd9:~ # ipfw table 46 add 62.2.85.186 root@freebsd9:~ # ipfw table 46 add 2001:8a8:1005:1::3 root@freebsd9:~ # ipfw table 46 add 2001:8a8:1005:2::180 root@freebsd9:~ # ipfw table 46 add 2001:8a8:1005:2::186 root@freebsd9:~ # ipfw table 46 list 62.2.85.180/32 0 62.2.85.186/32 0 62.12.173.3/32 0 2001:8a8:1005:1::3/128 0 2001:8a8:1005:2::180/128 0 2001:8a8:1005:2::186/128 0 root@freebsd9:~ # Then I created a few basic rules for testing, which also worked (I did shorten the hostname prompt to avoid line wrap): f9:~ # ipfw add 1 unreach port tcp from table\(4\) to me 22 in 00001 unreach port tcp from table(4) to me dst-port 22 in f9:~ # ipfw add 2 unreach6 port tcp from table\(6\) to me6 22 in 00002 unreach6 port tcp from table(6) to me6 dst-port 22 in f9:~ # ipfw add 3 unreach port tcp from table\(46\) to me 22 in 00003 unreach port tcp from table(46) to me dst-port 22 in root@freebsd9:~ # root@freebsd9:~ # ipfw show | head -3 00001 0 0 unreach port tcp from table(4) to me dst-port 22 in 00002 0 0 unreach6 port tcp from table(6) to me6 dst-port 22 in 00003 0 0 unreach port tcp from table(46) to me dst-port 22 in root@freebsd9:~ # Then I did some testing from the remote system (the IP addresses in the tables). With IPv4 it is blocked right away with a connection refused, with IPv6 it takes 25 seconds and it tried to send much more packets. The destination systems (freebsd9) has 2 IP addresses each. When I also test with telnet, it tries and shows to connect to both address, but with similar timeouts then with ssh below: fabian@superman:~ $ time ssh -4 freebsd9 ssh: connect to host freebsd9.wenks.ch port 22: Connection refused real 0m0.015s user 0m0.002s sys 0m0.008s fabian@superman:~ $ fabian@superman:~ $ time ssh -6 freebsd9 ssh: connect to host freebsd9.wenks.ch port 22: Connection refused real 0m25.212s user 0m0.005s sys 0m0.006s fabian@superman:~ $ root@freebsd9:~ # ipfw show | head -3 00001 2 120 unreach port tcp from table(4) to me dst-port 22 in 00002 10 752 unreach6 port tcp from table(6) to me6 dst-port 22 in 00003 0 0 unreach port tcp from table(46) to me dst-port 22 in root@freebsd9:~ # Then I deleted the IPv4 and IPv6 only rules to only test with the mixed IPv4 and IPv6 table(46): root@freebsd9:~ # ipfw delete 1 2 root@freebsd9:~ # ipfw show | head -1 00003 0 0 unreach port tcp from table(46) to me dst-port 22 in root@freebsd9:~ # And again testing from the remote system, the timeouts are still with the same difference for IPv4 and IPv6, but the message for IPv6 is now different: fabian@superman:~ $ time ssh -4 freebsd9 ssh: connect to host freebsd9.wenks.ch port 22: Connection refused real 0m0.012s user 0m0.008s sys 0m0.000s fabian@superman:~ $ root@freebsd9:~ # ipfw show | head -1 00003 2 120 unreach port tcp from table(46) to me dst-port 22 in root@freebsd9:~ # fabian@superman:~ $ time ssh -6 freebsd9 ssh: connect to host freebsd9.wenks.ch port 22: Host is down real 0m25.212s user 0m0.009s sys 0m0.001s fabian@superman:~ $ root@freebsd9:~ # ipfw show | head -1 00003 12 872 unreach port tcp from table(46) to me dst-port 22 in root@freebsd9:~ # I also tried some other rules, which would be use cases for my setup with fail2ban, but not all of them work: freebsd9:~ # ipfw add 4 deny ip6 from table\(6\) to me6 22 in ipfw: bad address "table(6)" root@freebsd9:~ # root@freebsd9:~ # ipfw add 5 deny ip4 from table\(4\) to me 22 in 00005 deny ip4 from table(4) to me dst-port 22 in root@freebsd9:~ # Ok, the next one probably does not have a real use case, I was just testing: freebsd9:~ # ipfw add 6 deny ip4 from table\(46\) to me 22 in 00006 deny ip4 from table(46) to me dst-port 22 in root@freebsd9:~ # To help collect the information regarding IPv6 support in ipfw tables, what other rules should I test? Or is this already enough information for any FreeBSD IPFW developer to be able to locate and probably fix this issues? I guess it is probably better to first collect some more information regarding IPv6 and tables here on the list and then create a corresponding PR later on for it. bye Fabian From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 25 16:36:21 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 44967A0F for ; Tue, 25 Dec 2012 16:36:21 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from mail.ipfw.ru (unknown [IPv6:2a01:4f8:120:6141::2]) by mx1.freebsd.org (Postfix) with ESMTP id CBE958FC0A for ; Tue, 25 Dec 2012 16:36:20 +0000 (UTC) Received: from [2a02:6b8:0:401:222:4dff:fe50:cd2f] (helo=dhcp170-36-red.yandex.net) by mail.ipfw.ru with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1TnXXj-000DaZ-3i; Tue, 25 Dec 2012 20:39:51 +0400 Message-ID: <50D9D5E5.8050809@FreeBSD.org> Date: Tue, 25 Dec 2012 20:35:49 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120627 Thunderbird/13.0.1 MIME-Version: 1.0 To: Fabian Wenk Subject: Re: IPv6 addresses in tables not always working References: <50D9BF00.7050507@wenks.ch> In-Reply-To: <50D9BF00.7050507@wenks.ch> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Dec 2012 16:36:21 -0000 On 25.12.2012 18:58, Fabian Wenk wrote: > Hello > > To test tables with IPv6 for use with fail2ban (see thread "IPv6 > Support" [1]), I tried it out on a FreeBSD 9.1-RELEASE (r244668) system. > Not all possible rules with tables which include IPv6 addresses seem to > work. > > [1] http://sourceforge.net/mailarchive/message.php?msg_id=29387087 > > For fail2ban it will both be possible, using mixed tables with IPv4 and > IPv6 addresses and separate tables with only IPv4 or IPv6 addresses. So > I tried a few variants. > > First I created 3 different tables (IPv4 only, IPv6 only, IPv4 and IPv6 > mixed), this worked so far: ... > Then I deleted the IPv4 and IPv6 only rules to only test with the mixed > IPv4 and IPv6 table(46): > > root@freebsd9:~ # ipfw delete 1 2 > root@freebsd9:~ # ipfw show | head -1 > 00003 0 0 unreach port tcp from table(46) to me dst-port 22 in > root@freebsd9:~ # > > And again testing from the remote system, the timeouts are still with > the same difference for IPv4 and IPv6, but the message for IPv6 is now > different: unreach && unreach6 does different things: Former implies O_REJECT token (which is ipv4 only) while the latter calls O_UNREACH6 (which is ipv6 only). I'm not sure why we're utilizing O_UNREACH6 instead of re-using O_REJECT.. > root@freebsd9:~ # ipfw show | head -1 > 00003 12 872 unreach port tcp from table(46) to me dst-port 22 in > root@freebsd9:~ # > > > I also tried some other rules, which would be use cases for my setup > with fail2ban, but not all of them work: > > freebsd9:~ # ipfw add 4 deny ip6 from table\(6\) to me6 22 in > ipfw: bad address "table(6)" > root@freebsd9:~ # Yep, this is a known problem (and some similar still remains). Fixed in r240892 (r241883 for stable/9). ... > To help collect the information regarding IPv6 support in ipfw tables, > what other rules should I test? Or is this already enough information > for any FreeBSD IPFW developer to be able to locate and probably fix > this issues? > > I guess it is probably better to first collect some more information > regarding IPv6 and tables here on the list and then create a > corresponding PR later on for it. > > > bye > Fabian > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > -- WBR, Alexander From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 27 23:36:58 2012 Return-Path: Delivered-To: freebsd-ipfw@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BBE70545; Thu, 27 Dec 2012 23:36:58 +0000 (UTC) (envelope-from qingli@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 879908FC0A; Thu, 27 Dec 2012 23:36:58 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qBRNawxG066254; Thu, 27 Dec 2012 23:36:58 GMT (envelope-from qingli@freefall.freebsd.org) Received: (from qingli@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qBRNaw37066250; Thu, 27 Dec 2012 23:36:58 GMT (envelope-from qingli) Date: Thu, 27 Dec 2012 23:36:58 GMT Message-Id: <201212272336.qBRNaw37066250@freefall.freebsd.org> To: qingli@FreeBSD.org, freebsd-net@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: qingli@FreeBSD.org Subject: Re: kern/174749: Unexpected change of default route X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Dec 2012 23:36:58 -0000 Synopsis: Unexpected change of default route Responsible-Changed-From-To: freebsd-net->freebsd-ipfw Responsible-Changed-By: qingli Responsible-Changed-When: Thu Dec 27 23:36:00 UTC 2012 Responsible-Changed-Why: similar to kern/157796 http://www.freebsd.org/cgi/query-pr.cgi?pr=174749