FreeBSD Bugzilla – Attachment 252624 Details for
Bug 280701
FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
pf ruleset
ruleset.txt (text/plain), 10.82 KB, created by
doktornotor
on 2024-08-09 09:30:19 UTC
(
hide
)
Description:
pf ruleset
Filename:
MIME Type:
Creator:
doktornotor
Created:
2024-08-09 09:30:19 UTC
Size:
10.82 KB
patch
obsolete
># pfctl -sr >scrub in all fragment reassemble >block drop in log on ! igb1 inet6 from fd00:5c31:a994::/64 to any >block drop in log on igb1 inet6 from fe80::20d:b9ff:fe48:8555 to any >block drop in log inet6 from fd00:5c31:a994::1:1 to any >block drop in log on ! igb0 inet6 from 2001:1ae9:10f0:db00::/64 to any >block drop in log on igb0 inet6 from fe80::20d:b9ff:fe48:8554 to any >block drop in log inet6 from 2001:1ae9:10f0:db00:20d:b9ff:fe48:8554 to any >block drop in log inet6 from 2001:1ae9:10f0:db00:d7d8:f27b:f771:a86c to any >block drop in log on ! igb1 inet from 192.168.1.0/24 to any >block drop in log inet from 192.168.1.1 to any >block drop in log on ! igb0 inet from 192.168.0.0/24 to any >block drop in log inet from 192.168.0.18 to any >block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131" >block drop in log inet6 all label "02f4bab031b57d1e30553ce08e0ec131" >pass in log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state label "1d245529367b2e34eeaff16086aeafe9" >pass in log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state label "1d245529367b2e34eeaff16086aeafe9" >pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state label "1d245529367b2e34eeaff16086aeafe9" >pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state label "1d245529367b2e34eeaff16086aeafe9" >pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echoreq keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8" >pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echoreq keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8" >pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echorep keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8" >pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echorep keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8" >pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routersol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8" >pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routersol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8" >pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routeradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8" >pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routeradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8" >pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbrsol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8" >pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbrsol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8" >pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8" >pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8" >pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "42e9d787749713a849d8e92432efdfaa" >pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "42e9d787749713a849d8e92432efdfaa" >pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "42e9d787749713a849d8e92432efdfaa" >pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "42e9d787749713a849d8e92432efdfaa" >pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "42e9d787749713a849d8e92432efdfaa" >pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "42e9d787749713a849d8e92432efdfaa" >pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "42e9d787749713a849d8e92432efdfaa" >pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "42e9d787749713a849d8e92432efdfaa" >pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "42e9d787749713a849d8e92432efdfaa" >pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "42e9d787749713a849d8e92432efdfaa" >pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state label "8752fca75c6be992847ea984161bd3f1" >pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state label "8752fca75c6be992847ea984161bd3f1" >pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state label "8752fca75c6be992847ea984161bd3f1" >pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state label "8752fca75c6be992847ea984161bd3f1" >pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state label "8752fca75c6be992847ea984161bd3f1" >pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state label "71dd196398b3f1da265dbd9dcad00e70" >pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state label "71dd196398b3f1da265dbd9dcad00e70" >pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state label "71dd196398b3f1da265dbd9dcad00e70" >pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state label "71dd196398b3f1da265dbd9dcad00e70" >pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state label "71dd196398b3f1da265dbd9dcad00e70" >block drop in log quick inet proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5" >block drop in log quick inet proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5" >block drop in log quick inet6 proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5" >block drop in log quick inet6 proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5" >block drop in log quick inet proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5" >block drop in log quick inet proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5" >block drop in log quick inet6 proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5" >block drop in log quick inet6 proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5" >pass log quick inet6 proto carp from any to ff02::12 keep state label "cf439d72ef4d245e8ad4a1405df1f665" >pass log quick inet proto carp from any to 224.0.0.18 keep state label "2ffa978d51f7b3fbc9000c2895106ee7" >block drop in log quick proto tcp from <sshlockout> to (self) port = ssh label "669143f420c3ab4118bcb0bf4b5fd823" >block drop in log quick proto tcp from <sshlockout> to (self) port = https label "6baefc2a9cf2536834c092a51134a45c" >block drop in log quick from <virusprot> to any label "8e367e2f9944d93137ae56d788c5d5e1" >pass in log quick on igb1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "5168be2cca1e130b1ef2ac18161356a8" >pass in log quick on igb1 proto udp from any port = bootpc to (self) port = bootps keep state label "0b032d1bab91fc97e4a7faf03a7f17c3" >pass out log quick on igb1 proto udp from (self) port = bootps to any port = bootpc keep state label "5039e43005a9aa50eb032af274cc9aad" >pass in log quick on igb1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "fef3d333d96a8d3558956de1fffc61cc" >pass in log quick on igb1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "fef3d333d96a8d3558956de1fffc61cc" >pass in log quick on igb1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "d2bd536587a9f5680c1f850b2d346839" >pass in log quick on igb1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "3420206ced96c01ef73fbc4ac9deb745" >pass in log quick on igb1 inet6 proto udp from fe80::/10 to (self) port = dhcpv6-client keep state label "0fd202708c326aebbe44ab710b6d3652" >pass out log quick on igb1 inet6 proto udp from (self) port = dhcpv6-server to fe80::/10 keep state label "83f6c28de8efae9b444094e4a5bf898c" >pass in log quick on igb0 inet6 proto udp from any to fe80::/10 port = dhcpv6-client keep state label "dd8286ff6bd92ea385227e7803c07646" >pass out log quick on igb0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-server keep state label "804495ccfd5c09b17e72422cc30c23d8" >pass out log quick on igb0 inet6 proto udp from fe80::/10 port = dhcpv6-client to ff02::/16 port = dhcpv6-server keep state label "804495ccfd5c09b17e72422cc30c23d8" >pass in log quick on igb0 proto udp from any port = bootps to any port = bootpc keep state label "f994f615e00b8be0042263f86c79913f" >pass out log quick on igb0 proto udp from any port = bootpc to any port = bootps keep state label "5cf7ab808da1fcbca1ddb9ba9b46b669" >pass in quick on lo0 all no state label "7535c94082e72e2207679aadb26afd92" >pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2" >pass in log quick on igb1 proto tcp from any to (self) port = ssh flags S/SA keep state label "bb72618316fdf630cdf15f33ae3d699f" >pass in log quick on igb1 proto tcp from any to (self) port = http flags S/SA keep state label "bb72618316fdf630cdf15f33ae3d699f" >pass in log quick on igb1 proto tcp from any to (self) port = https flags S/SA keep state label "bb72618316fdf630cdf15f33ae3d699f" >pass out log route-to (igb0 192.168.0.254) inet from (igb0) to ! (igb0:network) flags S/SA keep state allow-opts label "25317b606bbeb8522d3dc66b350595a1" >pass out log route-to (igb0 fe80::20d:b9ff:fe41:5db1) inet6 from (igb0) to ! (igb0:network) flags S/SA keep state allow-opts label "91af02f708c71d296f2293a00f2ec1cc" >pass in quick on igb1 inet from (igb1:network) to any flags S/SA keep state label "c9fb95f8275a8a73ce4a68190ed7bc51" >pass in quick on igb1 inet6 from (igb1:network) to any flags S/SA keep state label "e0d7d87c02c29ff98108738507811fec" >pass in quick on igb1 inet6 from fe80::/10 to any flags S/SA keep state label "e0d7d87c02c29ff98108738507811fec" > ># pfctl -sn >no nat proto carp all >nat on igb0 inet from (igb1:network) to any port = isakmp -> (igb0:0) static-port >nat on igb0 inet from (lo0:network) to any port = isakmp -> (igb0:0) static-port >nat on igb0 inet from 127.0.0.0/8 to any port = isakmp -> (igb0:0) static-port >nat on igb0 inet from (igb1:network) to any -> (igb0:0) port 1024:65535 >nat on igb0 inet from (lo0:network) to any -> (igb0:0) port 1024:65535 >nat on igb0 inet from 127.0.0.0/8 to any -> (igb0:0) port 1024:65535 >no rdr proto carp all >no rdr on igb1 proto tcp from any to (igb1) port = ssh >no rdr on igb1 proto tcp from any to (igb1) port = http >no rdr on igb1 proto tcp from any to (igb1) port = https
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=252624">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 280701
: 252624 |
252625
|
252626
|
253088