Re: OpenBSD 6.8 errata 014 breaks pf

Thu, 25 Feb 2021 02:41:30 -0800 

On Thu, Feb 25, 2021 at 10:31:59AM +0000, Mikolaj Kucharski wrote:
> On Thu, Feb 25, 2021 at 10:07:32AM +0100, stef...@fritz.wtf wrote:
> > >Synopsis: After installing OpenBSD 6.8 errata 014 pf allows no connections 
> > >and knows no tables 
> > >Category: kernel   
> > >Environment:
> >     System      : OpenBSD 6.8
> >     Details     : OpenBSD 6.8 (GENERIC) #4: Mon Jan 11 10:34:36 MST 2021
> >                      
> > r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
> > 
> >     Architecture: OpenBSD.amd64
> >     Machine     : amd64
> > >Description:
> >     After patching my system with syspatch to 6.8-014 no connections to the 
> > server where possible, no ssh, no smtp, https, imap.  Disabling pf allowed 
> > connections. 
> > 
> > 
> > >How-To-Repeat:
> > 
> >         Patch system using syspatch.
> > 
> > >Fix:
> >         I had to revert the most recently installed patch with syspatch -r.
> > 
> > 
> > dmesg:
> > OpenBSD 6.8 (GENERIC) #4: Mon Jan 11 10:34:36 MST 2021
> >     
> > r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
> 
> Can you show your pf.conf? I don't see that problem here.
> 
> # syspatch | wc -l
>        0
> 
> # sysctl -n kern.version
> OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021
> r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

no problem either on a VM doing dns/dhcp, i can connect over ssh and it
correctly does dns/dhcp:

furka# pfctl -sr
block drop in all
pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type echorep
pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type echoreq
pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type timex
pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type unreach
pass out all flags S/SA
pass in log on vio0 inet proto tcp from <__automatic_1e5c56b2_0> to 172.20.97.3 
port = 22 flags S/SA
pass in log on vio0 inet proto tcp from 172.20.97.21 to 172.20.97.3 port = 2812 
flags S/SA
pass in log on vio0 inet proto udp from <__automatic_1e5c56b2_1> to 172.20.97.3 
port = 53
pass in log on vio0 inet proto udp from any to any port = 67

furka# sysctl kern.version
kern.version=OpenBSD 6.8 (GENERIC) #5: Mon Feb 22 04:04:49 MST 2021
    r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

Reply via email to