#239 icmp6 codes not compiled correctly (PF) - far too open rules

open
nobody
None
5
2012-09-20
2012-09-20
No

Hi all

Fwb 5.1.0.3599 seems to have a problem generating rules for specific icmp6 types for PF (OpenBSD).

I have a ruleset specifying "any to any ipv6 all dest unreachable" and "any to any all ICMP unreachables".
The ICMP objects are from the Standard library.

The ipv4 rule generated from this is:
pass quick inet proto icmp from any to any icmp-type 3

The ipv6 rule generated from this is:
pass log quick inet6 proto icmp6 from any to any

The same happens when using the Group "Ipv6 unreachable messages" from the Standard library (as in the attached screenshot).

The GUI does show type 1 code any for the icmp6 object "ipv6 all dest unreachable". But apparently the compiler does not honour this.

It SHOULD be:
pass log quick inet6 proto icmp6 from any to any icmp6-type 1

I think this is a rather nasty bug because installing this pf policy will leave you far wider open than you had intended, and no errors or warnings help to point this out

Discussion

  • Markus Wernig

    Markus Wernig - 2012-09-21

    Sorry, the ipv6 rule actually reads
    pass quick inet6 proto icmp6 from any to any
    (without the "log" statement)

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks