Date: Tue, 04 Dec 2018 21:32:19 +0000 From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 233581] Bugg in PF or in PF man-page? Message-ID: <bug-233581-16861-VgY9OgrC2T@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-233581-16861@https.bugs.freebsd.org/bugzilla/> References: <bug-233581-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D233581 --- Comment #10 from peos42 <peo_s@incedo.org> --- Have not tested on head. Is something fixed regarding this? Config posted below as requested. Note that IPv4 and IPv6 addresses are substituted to fake.=20 ####################### ### FROM MAIN HOST #### ####################### 22:09:30 huey:~ # ifconfig -a vtnet0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1= 500 =20=20=20=20=20=20=20 options=3D6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSU= M,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> ether 00:16:3c:7f:67:0e hwaddr 00:16:3c:7f:67:0e inet 1.2.3.4 netmask 0xffffff00 broadcast 1.2.3.255=20 inet6 fe80::216:3cff:fe7f:670e%vtnet0 prefixlen 64 scopeid 0x1=20 inet6 2222:3333:6:6df::1111 prefixlen 48=20 nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet 10Gbase-T <full-duplex> status: active lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128=20 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2=20 inet 127.0.0.1 netmask 0xff000000=20 nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> groups: lo=20 pflog0: flags=3D141<UP,RUNNING,PROMISC> metric 0 mtu 33160 groups: pflog=20 22:09:32 huey:~ #=20 Note that the PF below will be rebuilt from scratch with variables and tagg= ing etc. But for this case it doesn't matter.... 22:10:21 huey:~ # more /etc/pf.conf |grep -v ^#|sed '/^$/d' set skip on lo0 block all pass out quick on { lo0 vtnet0 } inet proto {tcp gre esp udp icmp ipv6} all keep state pass out quick on { lo0 vtnet0 } inet6 proto {tcp gre esp udp icmp6} all k= eep state pass out quick on { lo0 vtnet0 } inet6 all keep state antispoof quick for vtnet0 pass in log quick on vtnet0 inet proto icmp from any to vtnet0 icmp-type { 8 code 0 , 3 code 3 , 11 code 0 } keep state pass in quick on vtnet0 inet6 proto { ipv6-icmp } from any to any keep state block in log quick on vtnet0 proto tcp from <bad_hosts_SSH_MAIN_HOST> to=20 vtnet0 port { 22 } pass in log quick on vtnet0 inet proto tcp from any to vtnet0 port { 22 } flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30, max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_MAIN_HOST> flush global) pass in log quick on vtnet0 inet6 proto tcp from any to vtnet0 port { 22 } flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30, max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_MAIN_HOST> flush global) block in log quick on vtnet0 proto tcp from <bad_hosts_SSH_DNS_HOST> to vt= net0 port { 10022 } pass in log quick on vtnet0 inet proto tcp from any to vtnet0 port { 10022= } flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30, max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_DNS_HOST> flush global) pass in log quick on vtnet0 inet6 proto tcp from any to vtnet0 port { 100= 22 } flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30, max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_DNS_HOST> flush global) pass in quick on vtnet0 inet proto tcp from any to vtnet0 port { 53 } flags S/SAFR keep state pass in quick on vtnet0 inet6 proto tcp from any to vtnet0 port { 53 } fl= ags S/SAFR keep state pass in quick on vtnet0 inet proto udp from any to vtnet0 port { 53 } keep state pass in quick on vtnet0 inet6 proto udp from any to vtnet0 port { 53 } = keep state pass in quick on lo0 inet proto tcp from 1.2.3.4 to 1.2.3.4 port 953 flags S/SAFR keep state block in log quick on vtnet0 proto tcp from <bad_hosts_SSH_MAIL_HOST> to=20 vtnet0 port { 20022 } pass in log quick on vtnet0 inet proto tcp from any to vtnet0 port { 20022= } flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30, max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_MAIL_HOST> flush global) pass in log quick on vtnet0 inet6 proto tcp from any to vtnet0 port { 200= 22 } flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30, max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_MAIL_HOST> flush global) pass in log quick on vtnet0 inet proto tcp from any to vtnet0 port { 25 465 587 } flags S/SAFR keep state pass in log quick on vtnet0 inet6 proto tcp from any to vtnet0 port { 25 = 465 587 } flags S/SAFR keep state block in log quick on vtnet0 proto tcp from <bad_hosts_SSH_WEB_HOST> to vt= net0 port { 30022 } pass in log quick on vtnet0 inet proto tcp from any to vtnet0 port { 30022= } flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30, max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_WEB_HOST> flush global) pass in log quick on vtnet0 inet6 proto tcp from any to vtnet0 port { 300= 22 } flags S/SAFR keep state (max 100, max-src-nodes 30, max-src-states 30, max-src-conn 20, max-src-conn-rate 3/30, overload <bad_hosts_SSH_WEB_HOST> flush global) pass in log quick on vtnet0 inet proto tcp from any to vtnet0 port { 80 44= 3 } flags S/SAFR keep state pass in log quick on vtnet0 inet6 proto tcp from any to vtnet0 port { 80 = 443 } flags S/SAFR keep state 22:10:24 huey:~ #=20 ########################### ### FROM DNS JAIL HOST #### ############################ "rndc reload" does NOT work in this jail if the following pf.conf row is removed from the main host... pass in quick on lo0 inet proto tcp from 1.2.3.4 to 1.2.3.4 port 953 flags S/SAFR keep state On OpenBSD this is not needed as "set skip on lo0" works... But all this I = have already written in earlier posts. 22:11:25 DNS:~ # ifconfig -a vtnet0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1= 500 =20=20=20=20=20=20=20 options=3D6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSU= M,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> ether 00:16:3c:7f:67:0e hwaddr 00:16:3c:7f:67:0e inet 1.2.3.4 netmask 0xffffff00 broadcast 1.2.3.255=20 inet6 2222:3333:6:6df::1111 prefixlen 48=20 nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet 10Gbase-T <full-duplex> status: active lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> groups: lo=20 pflog0: flags=3D141<UP,RUNNING,PROMISC> metric 0 mtu 33160 groups: pflog=20 22:11:27 DNS:~ #=20 22:13:24 DNS:~ # more /usr/local/etc/namedb/rndc.conf |grep default-server default-server 1.2.3.4; 22:13:25 DNS:~ #=20 22:13:26 DNS:~ # more /usr/local/etc/namedb/named.conf |grep 953 inet 1.2.3.4 port 953 allow { 1.2.3.4; 127.0.0.1; 2222:3333:5:6df::1111; } keys { "rndc-key"; }; 22:13:31 DNS:~ # --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-233581-16861-VgY9OgrC2T>