The following reply was made to PR kern/127920; it has been noted by GNATS.
From: Petko Bordjukov <[email protected]> To: [email protected], [email protected] Cc: Subject: Re: kern/127920: [pf] ipv6 and synproxy don't play well together Date: Sun, 18 Jan 2009 21:29:56 +0200 I am having the same problem. FreeBSD router.supranet.eu 7.1-RELEASE-p2 FreeBSD 7.1-RELEASE-p2 #2: Wed Jan 14 15:58:07 EET 2009 [email protected]:/var/src/sys/i386/compile/H5A8S i386 pf.conf: > ... > > # Settings > > set block-policy drop > set skip on lo0 > > ## TRAFFIC NORMALIZATION > scrub in on $ext_if all fragment reassemble > scrub out on $ext_if all fragment reassemble random-id no-df > scrub in on $tunnel_if all fragment reassemble > scrub out on $tunnel_if all fragment reassemble random-id no-df > > # Queueing > > # Translation > <NAT settings here> > > # Filtering > > # activate spoofing protection for all interfaces > # block in log quick from urpf-failed > antispoof log quick for $loopback_if > label "Antispoof for $if interface." > antispoof log quick for $int_if > label "Antispoof for $if interface." > > # default rule > block log all > label "Block all." > block in on $ext_if proto { tcp udp } from any to any port { 137, 138, 139, > 445 } label "Block netbios broadcasts and don't log." > > pass out from self to any modulate state > label "Permit outgoing traffic from the firewall." > pass out on !$int_if from $localnet6 to any modulate state > label "Permit outgoing traffic from the local v6 net." > pass inet proto icmp all icmp-type { 0, 3, 4, 11 } keep state > label "Permit safe ICMP." > # http://www.freebsd.org/cgi/man.cgi?query=icmp6 > pass inet6 proto icmp6 all icmp6-type { 1,2,3,4 } keep state > label "Permit safe ICMPv6." > pass in on $tunnel_if inet6 proto icmp6 from $tun_endpoint icmp6-type > {128,135,136} keep state label "Permit IPv6 ping, neighbor solic., advert. > from endpoint." > > > # Allow access to services > pass in inet proto tcp from any to $pub_ips port $tcp_services synproxy > state label "Access to $dstaddr $proto/$dstport." > > > > #### Trouble comes from this rule > pass in inet6 proto tcp from any to $pub_ips port $tcp_services synproxy > state label "Access to $dstaddr $proto/$dstport." > > > > > pass in proto udp from any to $pub_ips port $udp_services keep state > label "Access to $dstaddr $proto/$dstport." > pass in on $ext_if inet proto {tcp udp} from any to $localnet port > $connectable synproxy state label "Allow incoming connections -> mapped > $proto ports on $if." > > # trusted IPs > pass from <trusted_ips> to any keep state > label "Grant access to trusted IPs." > > # trust local network > pass in on $int_if all modulate state > label "Permit incoming traffic from the Local network." > pass out on $int_if proto {tcp, udp} from any to $localnet4 port > $connectable modulate state label "Allow connections to mapped ports to > reach LAN destinations." > pass proto tcp from any to $localnet6 port $client_tcp_services modulate > state label "Allow IPv6 access to/from the ($proto) client > services." > pass proto { tcp, udp } from any to $localnet6 port $connectable > modulate state label "Allow IPv6 access to/from the connectable > ($proto) ports." -- - Petko _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
