Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p Open|237973 | pf: implement egress keyword to simplify rules ac 2 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: pf - SCTP ports are not allowed in filter rules.
Hi! > SCTP protocol header has src port and dst port fields. But pf doesn't > supports. > > # echo "pass log (to pflog0) quick proto SCTP from any to any port > 13873" | pfctl -f - > stdin:1: port only applies to tcp/udp > stdin:1: skipping rule due to errors > stdin:1: rule expands to no valid combination > pfctl: Syntax error in config file: pf rules not loaded > # > > I tried to write same rule with ipfw. It works. > > # ipfw add 200 allow sctp from any to any 13873 > 00200 allow sctp from any to any 13873 > > Do I have a mistake or filtering for SCTP ports are not supported by pf ? > Is it possible to fix ? sys/netpfil/pf/ has some ifdefs that reference SCTP. So, if you recompile your kernel with options SCTP options SCTP_SUPPORT it might improve, but the ifdefed code does not seem very far-reaching. The user-space tooling (pfctl) does not seem to support sctp as keyword ? -- p...@opsec.eu+49 171 3101372Now what ? ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: pf - SCTP ports are not allowed in filter rules.
On 25 Apr 2021, at 7:56, Özkan KIRIK wrote: SCTP protocol header has src port and dst port fields. But pf doesn't supports. # echo "pass log (to pflog0) quick proto SCTP from any to any port 13873" | pfctl -f - stdin:1: port only applies to tcp/udp stdin:1: skipping rule due to errors stdin:1: rule expands to no valid combination pfctl: Syntax error in config file: pf rules not loaded # I tried to write same rule with ipfw. It works. # ipfw add 200 allow sctp from any to any 13873 00200 allow sctp from any to any 13873 Do I have a mistake or filtering for SCTP ports are not supported by pf ? Is it possible to fix ? Pf does not support SCTP in any meaningful way. I have no plans to add SCTP support either. Note that doing so involves a lot more than just teaching it to look at SCTP port numbers. Pf is a /stateful/ firewall, so we’d have to teach it the entire SCTP protocol lifecycle. Best regards, Kristof ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"