Re: I'm getting sick - Problems filtering IPv6.

[Max Laier]

On Tuesday 01 August 2006 16:29, Frank Steinborn wrote:
> At first, here is the complete ruleset:
> http://www.nognu.de/~steinex/pf.conf.txt
>
> The Problem:
> As you can see, i'm having a stateful outgoing rule for IPv6:
>
> pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate
> state
>
> That works just fine. I can ping v6-hosts and surf the web via v6. But
> I want to open some daemons for the outside world, for example an
> nameserver:
>
> pass in on gif0 inet6 proto { tcp, udp } from any to 2001:1638:17ad::3
> port 53 modulate state
>
> Let's try to connect to it know, from another box:
>
> $ telnet 2001:1638:17ad::3 53
> Trying 2001:1638:17ad::3...
> Connected to 2001:1638:17ad::3.
> Escape character is '^]'.
>
> That works just fine! Yay! However, if i try the same on the same box
> running the named and the filter:
>
> $ telnet 2001:1638:17ad::3 53
> Trying 2001:1638:17ad::3...
>
> That's it. It's not possible, and i'm really frustrated for days now.
> What is actually borked here? Let's have a look on the pflog0, what's
> dropping:
>
> 15:26:35.983709 rule 1/0(match): block in on gif0:
> 2001:1638:17ad::3.53 > 2001:1638:17ad::3.59761:  tcp 40 [bad hdr
> length 4 - too short, < 20]
>
> Hmm. Bad hdr lenght? What's up here? If i change the rule

This really just is an artefact from a too short snaplen.  Use -s 1500 and you 
get rid of it.

The strange thing, however, is that this is the reply *from* port 53.  So this 
means the initial SYN got through alright.  Can you check if a state has been 
created (pfctl -vss) for that connection, please.  I suspect that it has and 
the problem would be that the reply doesn't match the state - for what ever 
reason.  Please check if there is a state and let me know - thanks.

> pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate
> state
> to
> pass on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate state
>
> all works fine. But that's not what i want, of course. Can anyone give
> me a clue what's wrong here? Please, it's driving me crazy! :-(
>
> I found one thing about the "bad hdr lenght" thing on the mailinglist,
> but I'm not sure if it's related. And it's from 2005:
> http://lists.freebsd.org/pipermail/freebsd-current/2005-November/057922.htm
>l

-- 
/"\  Best regards,                      | [EMAIL PROTECTED]
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

pgp7xHy9NDOeQ.pgp
Description: PGP signature