From nobody@FreeBSD.org  Fri Jun 11 13:58:24 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EBD8C1065675
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 Jun 2010 13:58:24 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id DA1338FC16
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 Jun 2010 13:58:24 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o5BDwOqa092689
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 Jun 2010 13:58:24 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o5BDwOig092686;
	Fri, 11 Jun 2010 13:58:24 GMT
	(envelope-from nobody)
Message-Id: <201006111358.o5BDwOig092686@www.freebsd.org>
Date: Fri, 11 Jun 2010 13:58:24 GMT
From: sebastien boggia <sebastien.boggia@unistra.fr>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Firewall PF no longer drops connections by sending TCP RST packets
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         147789
>Category:       kern
>Synopsis:       [pf] Firewall PF no longer drops connections by sending TCP RST packets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-pf
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 11 14:00:16 UTC 2010
>Closed-Date:    
>Last-Modified:  Sun Jun 13 23:59:07 UTC 2010
>Originator:     sebastien boggia
>Release:        8.0-RELEASE-p2
>Organization:
university of strasbourg
>Environment:
FreeBSD ash.u-strasbg.fr 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #1: Fri Feb 26 13:11:24 UTC 2010     root@fbsd8-64:/usr/obj/usr/src/sys/SMP8-64  amd64
>Description:
We upgraded our firewall from FreeBSD 6.4 to FreeBSD 8.0 and now we have a problem with pf and IPv6, the return-rst rules no longer works.

FreeBSD ash.u-strasbg.fr 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #1: Fri Feb 26 13:11:24 UTC 2010 root@fbsd8-64:/usr/obj/usr/src/sys/SMP8-64 amd64 

When a packet matches the following rule, the system should reply to the source address with a TCP RST packet in order to drop the connection.

block return-rst in quick log on { $int_if $int_carp_if } inet6 proto tcp from any to any port { $port_autorises_host_wifi }

It worked on FreeBSD 6.4 but no on FreeBSD 8.0.

With tcpdump on pfog0 we can see the packets matching the rule. 

..
tcpdump -en -s0 -i pflog0                                        
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes

15:53:43.725574 rule 320/0(match): block in on vlan900: fe80::226:5eff:fe01:b33e.38423 > 2001:660:2402::90.443: Flags [S], seq 1947608384, win 5760, options [mss 1440,sackOK,TS val 6811328 ecr 0,nop,wscale 6], length 0
15:53:45.488687 rule 318/0(match): block in on vlan900: 2001:660:2402:2001:85ee:f2ca:8cae:61f1.54489 > 2a00:1450:4001:1::13.80: Flags [S], seq 792126535, win 8192, options [mss 1440,nop,wscale 2,nop,nop,sackOK], length 0
..
>How-To-Repeat:
This is the network configuration on the server :

vlan818: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3<RXCSUM,TXCSUM>
        ether 00:26:55:1a:b9:fc
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 fe80::226:55ff:fe1a:b9fc%vlan818 prefixlen 64 scopeid 0x6 
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 818 parent interface: bce0
vlan212: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3<RXCSUM,TXCSUM>
        ether 00:26:55:1a:b9:fc
        inet 130.79.208.186 netmask 0xfffffff8 broadcast 130.79.208.191
        inet6 fe80::226:55ff:fe1a:b9fc%vlan212 prefixlen 64 scopeid 0x7 
        inet6 2001:660:2402:7::2 prefixlen 64 
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 212 parent interface: bce0
vlan900: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3<RXCSUM,TXCSUM>
        ether 00:26:55:1a:b9:fc
        inet 172.17.255.253 netmask 0xffff0000 broadcast 172.17.255.255
        inet6 fe80::226:55ff:fe1a:b9fc%vlan900 prefixlen 64 scopeid 0x8 
        inet6 2001:660:2402:2001:fe:: prefixlen 64 
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 900 parent interface: bce0
carp212: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 130.79.208.185 netmask 0xfffffff8 
        inet6 2001:660:2402:7::1 prefixlen 64 
        carp: MASTER vhid 150 advbase 1 advskew 0
carp900: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 172.17.255.254 netmask 0xffff0000 
        inet6 2001:660:2402:2001:ff:: prefixlen 64 
        carp: MASTER vhid 150 advbase 1 advskew 0


Following an extract of the pf.conf file :

carp_if="{vlan212,vlan900}"
ext_carp_if="carp212"
int_carp_if="carp900"
ext_if="vlan212"
int_if="vlan900"

set debug urgent
set limit { states 600000 , frags 10000 , src-nodes 100000 }
set timeout interval 5
set optimization normal
scrub in all fragment crop no-df

port_autorises_host_wifi = "smtp, ssh, http, 8080, https, imaps, 1993, \
                            pop3s, ldap, ldaps, ntp, 8443, 3389, rsync, \
                            nntp, 5999, 465, 1194, 1232, 5222, 5223, \
                            587, 1723, 1701, 5060, 5061, 5062, irc, ircs, \
                            6665, 6666, 6667, 6669"

block return-rst in quick log on { $int_if $int_carp_if } inet6 proto tcp from any \
                        to any port { $port_autorises_host_wifi }
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-amd64->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Jun 13 23:58:37 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=147789 
>Unformatted:
