Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 04 Dec 2018 21:32:19 +0000
From:      bugzilla-noreply@freebsd.org
To:        pf@FreeBSD.org
Subject:   [Bug 233581] Bugg in PF or in PF man-page?
Message-ID:  <bug-233581-16861-VgY9OgrC2T@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-233581-16861@https.bugs.freebsd.org/bugzilla/>
References:  <bug-233581-16861@https.bugs.freebsd.org/bugzilla/>

next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D233581

--- Comment #10 from peos42 <peo_s@incedo.org> ---
Have not tested on head. Is something fixed regarding this?


Config posted below as requested. Note that IPv4 and IPv6 addresses are
substituted to fake.=20


#######################
### FROM MAIN HOST ####
#######################
22:09:30 huey:~ # ifconfig -a
vtnet0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1=
500
=20=20=20=20=20=20=20
options=3D6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSU=
M,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:16:3c:7f:67:0e
        hwaddr 00:16:3c:7f:67:0e
        inet 1.2.3.4 netmask 0xffffff00 broadcast 1.2.3.255=20
        inet6 fe80::216:3cff:fe7f:670e%vtnet0 prefixlen 64 scopeid 0x1=20
        inet6 2222:3333:6:6df::1111 prefixlen 48=20
        nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128=20
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2=20
        inet 127.0.0.1 netmask 0xff000000=20
        nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo=20
pflog0: flags=3D141<UP,RUNNING,PROMISC> metric 0 mtu 33160
        groups: pflog=20
22:09:32 huey:~ #=20


Note that the PF below will be rebuilt from scratch with variables and tagg=
ing
etc. But for this case it doesn't matter....

22:10:21 huey:~ # more /etc/pf.conf |grep -v ^#|sed '/^$/d'
set skip on lo0
block all
pass out quick on { lo0 vtnet0 } inet proto {tcp gre esp udp icmp ipv6} all
keep state
pass out quick on { lo0 vtnet0 } inet6  proto {tcp gre esp udp icmp6} all k=
eep
state
pass out quick on { lo0 vtnet0 } inet6 all keep state
antispoof quick for vtnet0
pass in log quick on vtnet0 inet proto icmp from any to vtnet0 icmp-type { 8
code 0 , 3 code 3 , 11 code 0  } keep state
pass in quick on vtnet0 inet6 proto { ipv6-icmp } from any to any keep state
block in log quick on vtnet0 proto tcp from <bad_hosts_SSH_MAIN_HOST> to=20
vtnet0 port { 22 }
pass in log quick on vtnet0 inet proto tcp  from any to vtnet0 port { 22 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_MAIN_HOST>
flush global)
pass in log quick on vtnet0 inet6 proto tcp  from any to vtnet0 port { 22 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_MAIN_HOST>
flush global)
block in log quick on vtnet0 proto tcp from <bad_hosts_SSH_DNS_HOST> to  vt=
net0
port { 10022 }
pass in log quick on vtnet0 inet proto tcp  from any to vtnet0 port { 10022=
 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_DNS_HOST>
flush global)
pass in log quick on vtnet0 inet6 proto tcp  from any to  vtnet0 port { 100=
22 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_DNS_HOST>
flush global)
pass in quick on vtnet0 inet proto tcp  from any to vtnet0 port { 53 } flags
S/SAFR keep state
pass in quick on vtnet0 inet6 proto tcp  from any to  vtnet0 port { 53 } fl=
ags
S/SAFR keep state
pass in quick on vtnet0 inet proto udp  from any to vtnet0 port { 53 }  keep
state
pass in quick on vtnet0 inet6 proto udp  from any to  vtnet0  port { 53 }  =
keep
state
pass in quick on lo0 inet proto tcp from 1.2.3.4 to 1.2.3.4 port 953 flags
S/SAFR keep state
block in log quick on vtnet0 proto tcp from <bad_hosts_SSH_MAIL_HOST> to=20
vtnet0 port { 20022 }
pass in log quick on vtnet0 inet proto tcp  from any to vtnet0 port { 20022=
 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_MAIL_HOST>
flush global)
pass in log quick on vtnet0 inet6 proto tcp  from any to  vtnet0 port { 200=
22 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_MAIL_HOST>
flush global)
pass in log quick on vtnet0 inet proto tcp  from any to vtnet0 port { 25 465
587 } flags S/SAFR keep state
pass in log quick on vtnet0 inet6 proto tcp  from any to  vtnet0 port { 25 =
465
587 } flags S/SAFR keep state
block in log quick on vtnet0 proto tcp from <bad_hosts_SSH_WEB_HOST> to  vt=
net0
port { 30022 }
pass in log quick on vtnet0 inet proto tcp  from any to vtnet0 port { 30022=
 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_WEB_HOST>
flush global)
pass in log quick on vtnet0 inet6 proto tcp  from any to  vtnet0 port { 300=
22 }
flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30,
max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_WEB_HOST>
flush global)
pass in log quick on vtnet0 inet proto tcp  from any to vtnet0 port { 80 44=
3 }
flags S/SAFR keep state
pass in log quick on vtnet0 inet6 proto tcp  from any to  vtnet0 port { 80 =
443
} flags S/SAFR keep state
22:10:24 huey:~ #=20



###########################
### FROM DNS JAIL HOST ####
############################


"rndc reload" does NOT work in this jail if the following pf.conf row is
removed from the main host...

pass in quick on lo0 inet proto tcp from 1.2.3.4 to 1.2.3.4 port 953 flags
S/SAFR keep state

On OpenBSD this is not needed as "set skip on lo0" works... But all this I =
have
already written in earlier posts.



22:11:25 DNS:~ # ifconfig -a
vtnet0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1=
500
=20=20=20=20=20=20=20
options=3D6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSU=
M,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:16:3c:7f:67:0e
        hwaddr 00:16:3c:7f:67:0e
        inet 1.2.3.4 netmask 0xffffff00 broadcast 1.2.3.255=20
        inet6 2222:3333:6:6df::1111 prefixlen 48=20
        nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo=20
pflog0: flags=3D141<UP,RUNNING,PROMISC> metric 0 mtu 33160
        groups: pflog=20
22:11:27 DNS:~ #=20


22:13:24 DNS:~ # more /usr/local/etc/namedb/rndc.conf |grep default-server
        default-server 1.2.3.4;
22:13:25 DNS:~ #=20

22:13:26 DNS:~ # more /usr/local/etc/namedb/named.conf |grep 953
        inet 1.2.3.4 port 953 allow { 1.2.3.4; 127.0.0.1;
2222:3333:5:6df::1111; } keys { "rndc-key"; };
22:13:31 DNS:~ #

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-233581-16861-VgY9OgrC2T>