From nobody@FreeBSD.org  Tue Oct  7 12:51:14 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8DFF01065695
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  7 Oct 2008 12:51:14 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 7D24C8FC0A
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  7 Oct 2008 12:51:14 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id m97CpD9Y032731
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 7 Oct 2008 12:51:13 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id m97CpDAu032730;
	Tue, 7 Oct 2008 12:51:13 GMT
	(envelope-from nobody)
Message-Id: <200810071251.m97CpDAu032730@www.freebsd.org>
Date: Tue, 7 Oct 2008 12:51:13 GMT
From: Henri Hennebert <hlh@restart.be>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pf : ipv6 and synproxy don't play well together
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         127920
>Category:       kern
>Synopsis:       [pf] ipv6 and synproxy don't play well together
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-pf
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 07 13:00:09 UTC 2008
>Closed-Date:    
>Last-Modified:  Fri Mar  9 12:40:10 UTC 2012
>Originator:     Henri Hennebert
>Release:        FreeBSD 7.1-PRERELEASE
>Organization:
>Environment:
FreeBSD morzine.restart.bel 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Sat Oct  4 17:19:46 CEST 2008     root@morzine.restart.bel:/usr/obj/usr/src/sys/MORZINE  i386

>Description:
My pf.conf:

---begin---
net_if="em0"

set block-policy drop
set debug misc
set loginterface $net_if
set state-policy if-bound

scrub in all

block in  log all
block out log all

set skip on lo0

antispoof quick for $net_if inet

pass out quick on $net_if proto { tcp, udp, icmp, icmp6 } all keep state
pass  in quick on $net_if proto udp from any to ($net_if) port domain
pass     quick inet proto icmp all icmp-type echoreq keep state
pass  in quick inet proto icmp all icmp-type unreach code needfrag
pass  in quick inet6 proto icmp6 all

pass  in quick on $net_if       proto tcp from any to ($net_if) port ssh\
 flags S/SA synproxy state (source-track rule, max-src-conn-rate 1/5,\
 overload <bad_hosts> flush)

pass     quick on $net_if    proto ipv6
pass     quick on $net_if    inet6
--- end ---

Note the last rule which allow any IPv6 traffic!

If I `ssh -4` to this box, the connection succeed.
If I `ssh -6` to this box, I get a timeout and the last rule is of no use.

If I comment out the rule with synproxy, `ssh -6` succeed - the last rule allow it.

If I replace `synproxy state` with `keep state` everything is as expected.

Henri


>How-To-Repeat:
see above.
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Oct 7 16:10:55 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127920 

From: Petko Bordjukov <bordjukov@gmail.com>
To: bug-followup@FreeBSD.org, hlh@restart.be
Cc:  
Subject: Re: kern/127920: [pf] ipv6 and synproxy don't play well together
Date: Sun, 18 Jan 2009 21:29:56 +0200

 I am having the same problem.
 
 FreeBSD router.supranet.eu 7.1-RELEASE-p2 FreeBSD 7.1-RELEASE-p2 #2: Wed 
 Jan 14 15:58:07 EET 2009 
 root@router.xxx.yyy:/var/src/sys/i386/compile/H5A8S  i386
 
 pf.conf:
 > ...
 > 
 > # Settings
 > 
 > set block-policy drop
 > set skip on lo0
 > 
 > ## TRAFFIC NORMALIZATION
 > scrub in on $ext_if all fragment reassemble
 > scrub out on $ext_if all fragment reassemble random-id no-df
 > scrub in on $tunnel_if all fragment reassemble
 > scrub out on $tunnel_if all fragment reassemble random-id no-df
 > 
 > # Queueing
 > 
 > # Translation
 > <NAT settings here>
 > 
 > # Filtering
 > 
 > # activate spoofing protection for all interfaces
 > # block in log quick from urpf-failed
 > antispoof log quick for $loopback_if                                                            label "Antispoof for $if interface."
 > antispoof log quick for $int_if                                                                 label "Antispoof for $if interface."
 > 
 > # default rule
 > block    log all                                                                                label "Block all."
 > block in on $ext_if proto { tcp udp } from any to any port { 137, 138, 139, 445 }               label "Block netbios broadcasts and don't log."
 > 
 > pass out from self to any modulate state                                                        label "Permit outgoing traffic from the firewall."
 > pass out on !$int_if from $localnet6 to any modulate state                                      label "Permit outgoing traffic from the local v6 net."
 > pass    inet proto icmp all icmp-type { 0, 3, 4, 11 } keep state                                label "Permit safe ICMP."
 > # http://www.freebsd.org/cgi/man.cgi?query=icmp6
 > pass     inet6 proto icmp6 all icmp6-type { 1,2,3,4 } keep state                                label "Permit safe ICMPv6."
 > pass in  on $tunnel_if inet6 proto icmp6 from $tun_endpoint icmp6-type {128,135,136} keep state label "Permit IPv6 ping, neighbor solic., advert. from endpoint."
 > 
 > 
 > # Allow access to services
 > pass in  inet proto tcp from any to $pub_ips port $tcp_services synproxy state                  label "Access to $dstaddr $proto/$dstport."
 > 
 > 
 > 
 > #### Trouble comes from this rule
 > pass in  inet6 proto tcp from any to $pub_ips port $tcp_services synproxy state                 label "Access to $dstaddr $proto/$dstport."
 > 
 > 
 > 
 > 
 > pass in  proto udp from any to $pub_ips port $udp_services keep state                           label "Access to $dstaddr $proto/$dstport."
 > pass in  on $ext_if inet proto {tcp udp} from any to $localnet port $connectable synproxy state label "Allow incoming connections -> mapped $proto ports on $if."
 > 
 > # trusted IPs
 > pass from <trusted_ips> to any keep state                                                       label "Grant access to trusted IPs."
 > 
 > # trust local network
 > pass in  on $int_if all modulate state                                                          label "Permit incoming traffic from the Local network."
 > pass out on $int_if proto {tcp, udp} from any to $localnet4 port $connectable modulate state    label "Allow connections to mapped ports to reach LAN destinations."
 > pass     proto tcp from any to $localnet6 port $client_tcp_services modulate state              label "Allow IPv6 access to/from the ($proto) client services."
 > pass     proto { tcp, udp } from any to $localnet6 port $connectable modulate state             label "Allow IPv6 access to/from the connectable ($proto) ports."
 
 
 
 -- 
 - Petko

From: Janne Snabb <snabb@epipe.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/127920: [pf] ipv6 and synproxy don't play well together
Date: Thu, 8 Jul 2010 02:35:04 +0000 (UTC)

 Hi,
 
 I can confirm that this problem still exists on 8.0p2:
 
 FreeBSD xxx.example.com 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #3: Thu May 27 06:52:37 UTC 2010     snabb@xxx.example.com:/usr/obj/usr/src/sys/GENERIC  i386
 
 I was hitting my head against the wall for a while until I found
 out that synproxy is just broken and should not be used.
 
 --
 Janne Snabb / EPIPE Communications
 snabb@epipe.com - http://epipe.com/

From: Hien Phan <phanquochien@gmail.com>
To: bug-followup@FreeBSD.org, hlh@restart.be
Cc:  
Subject: Re: kern/127920: [pf] ipv6 and synproxy don&#39;t play well together
Date: Fri, 09 Mar 2012 19:13:10 +0700

 Hello,
 I confirm this problem still exists on 9.0-RELEASE
 
 FreeBSD web1.deploy.xxxxx 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3
 07:15:25 UTC 2012    
 root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
 
>Unformatted:
