From owner-freebsd-pf@FreeBSD.ORG Tue Oct 21 07:43:59 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5CFD1426 for ; Tue, 21 Oct 2014 07:43:59 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 447DC70 for ; Tue, 21 Oct 2014 07:43:59 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id s9L7hxor023755 for ; Tue, 21 Oct 2014 07:43:59 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 124933] [pf] [ip6] pf does not support (drops) IPv6 fragmented packets Date: Tue, 21 Oct 2014 07:43:58 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 7.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: doktornotor@mailinator.com X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 07:43:59 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=124933 doktornotor@mailinator.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |doktornotor@mailinator.com --- Comment #6 from doktornotor@mailinator.com --- What's up here? In discussion? It's broken, end of discussion. What upstream? You blame upstream and then stop taking updates from them (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=167057)? 6 years, nothing done, fabulous really. FYI, this is so bad it totally kills some websites, as in, not usable with IPv6 at all. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Thu Oct 23 18:25:58 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 77635837 for ; Thu, 23 Oct 2014 18:25:58 +0000 (UTC) Received: from mail-la0-x234.google.com (mail-la0-x234.google.com [IPv6:2a00:1450:4010:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 021B9C0E for ; Thu, 23 Oct 2014 18:25:57 +0000 (UTC) Received: by mail-la0-f52.google.com with SMTP id hz20so1339077lab.39 for ; Thu, 23 Oct 2014 11:25:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=FiuVXXiHWnFp6AQUAIJtKmT7FriGI013vCVDGjcXYnI=; b=XUbmacufaJ0q+t72V1LQMBlGuwebZyLWHT0riNJt99EkYyc8yj/ysnomOzs2qis/MR P6hWwL9oMtgdFwSqo+jpKLKMOV02BViCeCRgP7cU4tSgTQvfwYAzGGm0k82H+SAj0ZKW JtduoY3nhe3EdFbllKhoEbOa8EzowblwqHsbpYmUtqIRvCUhR5Er/Nb5b/U1NkbNIZGJ h6w4Eg2JnmFUs45dwFAepLOgHmv6e41WBqblHy0Vh86nGSOdeuTqfxk95e1HKjGM81oS pPucjF9foB6WxstWi47zDz1jjlq0oOnE3Bh5/+h9SHv8T/jW+RY4MCHiTBHcOKM3rMDg mnwA== MIME-Version: 1.0 X-Received: by 10.112.247.43 with SMTP id yb11mr6950509lbc.51.1414088755804; Thu, 23 Oct 2014 11:25:55 -0700 (PDT) Received: by 10.153.8.137 with HTTP; Thu, 23 Oct 2014 11:25:55 -0700 (PDT) Date: Thu, 23 Oct 2014 21:25:55 +0300 Message-ID: Subject: SynProxy had a trouble when located front of a router device From: Tugrul Erdogan To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2014 18:25:58 -0000 Hi, I have a trouble at pf synproxy state handshak=C4=B1ng mechanism. I have be= en using pf for years, but first time I have a router at the backpane of topology. The schema of my topology given below: --------------------- --------------------------- ------------------- ---------------------- Attacker <----------> FreeBSD(Test) <-----------> Router <----> Victim ------------------- --------------------------- ----------------- ------------------- I am trying to connect from attacker to the victim from port 80. Without synproxy rule I have successfully conneting. Whenever I activate synproxy state, the client(attacker) side handshaking completing (the outer interface of FreeBSD device) 21:09:53.531421 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [S], seq 1458776780, win 5840, options [mss 1460,sackOK,TS val 1336836512 ecr 0,nop,wscale 7], length 0 21:09:53.531494 IP AA.BB.189.100.80 > AA.BB.183.93.51510: Flags [S.], seq 2093170245, ack 1458776781, win 0, options [mss 1460], length 0 21:09:53.531524 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack 1, win 5840, length 0 21:09:56.533680 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack 1, win 5840, length 0 21:10:02.532255 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack 1, win 5840, length 0 after that the "pfct -vvss" showing: ix1 tcp AA.BB..183.93:51513 -> AA.BB..189.100:80 PROXY:DST and there is no package at inner interface of FreeBSD device at the result of tcpdump. After some seconds FreeBSD generates RST package both side. (There is no handshake SYN or ACK packages generated by pf synproxy at the inner interface) I think that the problem is about the router beacuse I had had successful connections before the router device. When I turn off the synproxy or add "keep state" instead of "synproxy state" I can successfully connecting. I want to take your opinions about why the handshake packages could not be generate by pf synproxy? Regards, Tugrul From owner-freebsd-pf@FreeBSD.ORG Thu Oct 23 18:36:59 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D1647B26 for ; Thu, 23 Oct 2014 18:36:59 +0000 (UTC) Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 59EAED20 for ; Thu, 23 Oct 2014 18:36:59 +0000 (UTC) Received: by mail-lb0-f179.google.com with SMTP id l4so1323459lbv.24 for ; Thu, 23 Oct 2014 11:36:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=GTv7USE8E5HYVpmxXcxIOvKJUi9cXsD+3aG921S8D20=; b=CM+rowSCmwseZXVh7no29rPUrHcs5MsG15EE6cP+HhjJidSUeBvZT7tVQxuq4XB/L9 OSlcYCvVkRL+CJyid+ynem6c7BloWVAKe7qanN61NOrdUdIbqYZZCsxi+HD16D5X2eiX ow8BAmfHv3ygdZX1vnOk4OFaA5A9bWu2qKNqQXSyPJTwvYD14CuLWPj0wrHWyrGtn18z uANu57HCArMhprYOv7jvCHm1LPMkjbxSmVx6qhNHnnBeb1UQsRAMTeoknl4/YKGR0QHH n0WSFzKt9FWt7OAmWJXi697w3u1qFg53PMHRhRgDo2sbWXHngZib3V7bsn2gpyaaWTeN cuFQ== MIME-Version: 1.0 X-Received: by 10.112.85.138 with SMTP id h10mr6989555lbz.33.1414089417170; Thu, 23 Oct 2014 11:36:57 -0700 (PDT) Received: by 10.153.8.137 with HTTP; Thu, 23 Oct 2014 11:36:57 -0700 (PDT) In-Reply-To: References: Date: Thu, 23 Oct 2014 21:36:57 +0300 Message-ID: Subject: Re: SynProxy had a trouble when located front of a router device From: Tugrul Erdogan To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2014 18:36:59 -0000 Update: The topololgy has been redrawed below: | Atacker | <-> | FreeBSD | <-> | Router | <-> | Victim | Thanks, PS: Although connections lost by pf synproxy, the pings (form attacker to victim) can succesfully returns. On Thu, Oct 23, 2014 at 9:25 PM, Tugrul Erdogan wrote: > Hi, > > I have a trouble at pf synproxy state handshak=C4=B1ng mechanism. I have = been > using pf for years, but first time I have a router at the backpane of > topology. The schema of my topology given below: > > --------------------- --------------------------- > ------------------- ---------------------- > > Attacker <----------> FreeBSD(Test) > <-----------> Router <----> Victim > > ------------------- --------------------------- > ----------------- ------------------- > > I am trying to connect from attacker to the victim from port 80. Without > synproxy rule I have successfully conneting. Whenever I activate synproxy > state, the client(attacker) side handshaking completing (the outer > interface of FreeBSD device) > > 21:09:53.531421 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [S], seq > 1458776780, win 5840, options [mss 1460,sackOK,TS val 1336836512 ecr > 0,nop,wscale 7], length 0 > 21:09:53.531494 IP AA.BB.189.100.80 > AA.BB.183.93.51510: Flags [S.], seq > 2093170245, ack 1458776781, win 0, options [mss 1460], length 0 > 21:09:53.531524 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack > 1, win 5840, length 0 > 21:09:56.533680 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack > 1, win 5840, length 0 > 21:10:02.532255 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack > 1, win 5840, length 0 > > after that the "pfct -vvss" showing: > > ix1 tcp AA.BB..183.93:51513 -> AA.BB..189.100:80 PROXY:DST > > and there is no package at inner interface of FreeBSD device at the resul= t > of tcpdump. After some seconds FreeBSD generates RST package both side. > (There is no handshake SYN or ACK packages generated by pf synproxy at th= e > inner interface) > > I think that the problem is about the router beacuse I had had successful > connections before the router device. When I turn off the synproxy or add > "keep state" instead of "synproxy state" I can successfully connecting. > > I want to take your opinions about why the handshake packages could not b= e > generate by pf synproxy? > > Regards, > Tugrul > > From owner-freebsd-pf@FreeBSD.ORG Fri Oct 24 10:52:56 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3CA0A16A for ; Fri, 24 Oct 2014 10:52:56 +0000 (UTC) Received: from mail-lb0-x22e.google.com (mail-lb0-x22e.google.com [IPv6:2a00:1450:4010:c04::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A800EC2A for ; Fri, 24 Oct 2014 10:52:55 +0000 (UTC) Received: by mail-lb0-f174.google.com with SMTP id p9so2385918lbv.33 for ; Fri, 24 Oct 2014 03:52:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=ZekXvnVrtYQZvS15RMr5aAvlBOSOiKYWYRk/Zx34Wqw=; b=HSILSipss86bEW5Dl4OHUZaAC//esiDltRYXwGsTHyZPdVT3whQT+smAae/uCUjRqB Xg/Qhn45+J4+S7W1iwy1i5tNi7cG4h2ahhWH9qz8igu2Jr8yW5UUOpQrIS2qEHJ6lDRk nZOWiaKJHydaLJqrKz/BjE4yZntqX5yTYyduhB/+ooVdYKUlx6GzGEXQtqVn+k5I7Pb1 yTDbwL+2KwtbzL3nGPs6LoFox5JMvNq7l4VZ+o+HvOqW71ubd2D5UGYXYkXnFg3ynBXD RZUhx9zdn9MGHidFKgboi5ESObuZB8lexDJ2F2ME2Fwek+eP6t+AQW5evG+tcC6u0GsR RMDg== MIME-Version: 1.0 X-Received: by 10.112.161.9 with SMTP id xo9mr3643024lbb.62.1414147973415; Fri, 24 Oct 2014 03:52:53 -0700 (PDT) Received: by 10.153.8.137 with HTTP; Fri, 24 Oct 2014 03:52:53 -0700 (PDT) In-Reply-To: References: Date: Fri, 24 Oct 2014 13:52:53 +0300 Message-ID: Subject: Re: SynProxy had a trouble when located front of a router device From: Tugrul Erdogan To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2014 10:52:56 -0000 I have important founding. I think it is about VLAN between FreeBSD-Router in diagram. While Attacker-FreeBSD connection is normal IP connection, FreeBSD-Router connection was tagged VLAN 159. While FreeBSD-Router connection is VLAN based, synproxy rule State Creations value increase, synproxy sends ACKS to the Attacker. However synproxy replay with original server does not working ( The routing rule counter on os routing table which redirect packets to FreeBSD-Router side is increasing but the packet can not be created ). When I change FreeBSD-Router connection to normal IP connection without VLAN, it starts to working. What can be the problem and solution? On Thu, Oct 23, 2014 at 9:36 PM, Tugrul Erdogan wrote: > Update: > > The topololgy has been redrawed below: > > > | Atacker | <-> | FreeBSD | <-> | Router | <-> | Victim | > > > Thanks, > > > PS: Although connections lost by pf synproxy, the pings (form attacker to > victim) can succesfully returns. > > > > > On Thu, Oct 23, 2014 at 9:25 PM, Tugrul Erdogan < > h.tugrul.erdogan@gmail.com> wrote: > >> Hi, >> >> I have a trouble at pf synproxy state handshak=C4=B1ng mechanism. I have= been >> using pf for years, but first time I have a router at the backpane of >> topology. The schema of my topology given below: >> >> --------------------- --------------------------- >> ------------------- ---------------------- >> >> Attacker <----------> FreeBSD(Test) >> <-----------> Router <----> Victim >> >> ------------------- --------------------------- >> ----------------- ------------------- >> >> I am trying to connect from attacker to the victim from port 80. Without >> synproxy rule I have successfully conneting. Whenever I activate synprox= y >> state, the client(attacker) side handshaking completing (the outer >> interface of FreeBSD device) >> >> 21:09:53.531421 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [S], seq >> 1458776780, win 5840, options [mss 1460,sackOK,TS val 1336836512 ecr >> 0,nop,wscale 7], length 0 >> 21:09:53.531494 IP AA.BB.189.100.80 > AA.BB.183.93.51510: Flags [S.], se= q >> 2093170245, ack 1458776781, win 0, options [mss 1460], length 0 >> 21:09:53.531524 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack >> 1, win 5840, length 0 >> 21:09:56.533680 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack >> 1, win 5840, length 0 >> 21:10:02.532255 IP AA.BB.183.93.51510 > AA.BB.189.100.80: Flags [.], ack >> 1, win 5840, length 0 >> >> after that the "pfct -vvss" showing: >> >> ix1 tcp AA.BB..183.93:51513 -> AA.BB..189.100:80 PROXY:DST >> >> and there is no package at inner interface of FreeBSD device at the >> result of tcpdump. After some seconds FreeBSD generates RST package both >> side. (There is no handshake SYN or ACK packages generated by pf synprox= y >> at the inner interface) >> >> I think that the problem is about the router beacuse I had had successfu= l >> connections before the router device. When I turn off the synproxy or ad= d >> "keep state" instead of "synproxy state" I can successfully connecting. >> >> I want to take your opinions about why the handshake packages could not >> be generate by pf synproxy? >> >> Regards, >> Tugrul >> >> >