We upgraded our firewall from FreeBSD 6.4 to FreeBSD 8.0 and now we have a problem with pf and IPv6, the return-rst rules no longer works. FreeBSD ash.u-strasbg.fr 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #1: Fri Feb 26 13:11:24 UTC 2010 root@fbsd8-64:/usr/obj/usr/src/sys/SMP8-64 amd64 When a packet matches the following rule, the system should reply to the source address with a TCP RST packet in order to drop the connection. block return-rst in quick log on { $int_if $int_carp_if } inet6 proto tcp from any to any port { $port_autorises_host_wifi } It worked on FreeBSD 6.4 but no on FreeBSD 8.0. With tcpdump on pfog0 we can see the packets matching the rule. .. tcpdump -en -s0 -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes 15:53:43.725574 rule 320/0(match): block in on vlan900: fe80::226:5eff:fe01:b33e.38423 > 2001:660:2402::90.443: Flags [S], seq 1947608384, win 5760, options [mss 1440,sackOK,TS val 6811328 ecr 0,nop,wscale 6], length 0 15:53:45.488687 rule 318/0(match): block in on vlan900: 2001:660:2402:2001:85ee:f2ca:8cae:61f1.54489 > 2a00:1450:4001:1::13.80: Flags [S], seq 792126535, win 8192, options [mss 1440,nop,wscale 2,nop,nop,sackOK], length 0 .. How-To-Repeat: This is the network configuration on the server : vlan818: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=3<RXCSUM,TXCSUM> ether 00:26:55:1a:b9:fc inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 inet6 fe80::226:55ff:fe1a:b9fc%vlan818 prefixlen 64 scopeid 0x6 media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 818 parent interface: bce0 vlan212: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=3<RXCSUM,TXCSUM> ether 00:26:55:1a:b9:fc inet 130.79.208.186 netmask 0xfffffff8 broadcast 130.79.208.191 inet6 fe80::226:55ff:fe1a:b9fc%vlan212 prefixlen 64 scopeid 0x7 inet6 2001:660:2402:7::2 prefixlen 64 media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 212 parent interface: bce0 vlan900: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=3<RXCSUM,TXCSUM> ether 00:26:55:1a:b9:fc inet 172.17.255.253 netmask 0xffff0000 broadcast 172.17.255.255 inet6 fe80::226:55ff:fe1a:b9fc%vlan900 prefixlen 64 scopeid 0x8 inet6 2001:660:2402:2001:fe:: prefixlen 64 media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 900 parent interface: bce0 carp212: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500 inet 130.79.208.185 netmask 0xfffffff8 inet6 2001:660:2402:7::1 prefixlen 64 carp: MASTER vhid 150 advbase 1 advskew 0 carp900: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500 inet 172.17.255.254 netmask 0xffff0000 inet6 2001:660:2402:2001:ff:: prefixlen 64 carp: MASTER vhid 150 advbase 1 advskew 0 Following an extract of the pf.conf file : carp_if="{vlan212,vlan900}" ext_carp_if="carp212" int_carp_if="carp900" ext_if="vlan212" int_if="vlan900" set debug urgent set limit { states 600000 , frags 10000 , src-nodes 100000 } set timeout interval 5 set optimization normal scrub in all fragment crop no-df port_autorises_host_wifi = "smtp, ssh, http, 8080, https, imaps, 1993, \ pop3s, ldap, ldaps, ntp, 8443, 3389, rsync, \ nntp, 5999, 465, 1194, 1232, 5222, 5223, \ 587, 1723, 1701, 5060, 5061, 5062, irc, ircs, \ 6665, 6666, 6667, 6669" block return-rst in quick log on { $int_if $int_carp_if } inet6 proto tcp from any \ to any port { $port_autorises_host_wifi }
Responsible Changed From-To: freebsd-amd64->freebsd-pf Over to maintainer(s).
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped