unable to use stateful firewalling with IPv6
Brought to you by:
darren_r
Menu
▾
▴
#561 unable to use stateful firewalling with IPv6
- IP Filter Version
ipf: IP Filter: v5.1.2 (608)
Kernel: IP Filter: v5.1.2
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x14e
- Operating System and its Version
FreeBSD gefjun.hzn.srick.org 12.0-RELEASE-p7 FreeBSD 12.0-RELEASE-p7 r349765 GEFJUN amd64
- Configuration: (LKM or compiled-into-kernel)
compiled-into-kernel
- Description of problem
Unable to use stateful firewalling on IPv6. IPv4 gives me an entry in
the state table and allows my lookup through. Doing the same on IPv6
allows traffic out but no response is is received by dig.
- How to repeat
ipf.rules:
pass in quick on lo0 all
pass out quick on lo0 all
pass out quick on re0 all keep state
pass in quick on re0 proto tcp from any to any port = 22
block in log quick on re0 all
default kernel wise is to accept traffic
kernel options:
options IPFILTER
options IPFILTER_LOG
options IPFILTER_LOOKUP
When I lookup www.google.com over IPv4 I get an entry in the state table
dig -A www.google.com @8.8.8.8
ipfstat -t
Src: 0.0.0.0, Dest: 0.0.0.0, Proto: any, Sorted by: # bytes
Source IP Destination IP ST PR #pkts #bytes ttl
188.40.60.69,22 80.79.143.188,47160 4/4 tcp 75 14048 119:59:59
188.40.60.96,51126 8.8.8.8,53 0/0 udp 1 83 0:03
When I try to lookup the A record on the IPv6 server I get no state table entry
dig -A www.google.com @2001:4860:4860::8888
no state table entry and no response from the server
tcpdump -nnn host 2001:4860:4860::8888
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:48:48.588867 IP6 2a01:4f8:221:181::2.62706 > 2001:4860:4860::8888.53: 15010+ [1au] A? www.google.com. (55)
16:48:48.602580 IP6 2001:4860:4860::8888.53 > 2a01:4f8:221:181::2.62706: 15010 1/0/1 A 216.58.206.4 (59)
16:48:53.663637 IP6 2a01:4f8:221:181::2.62706 > 2001:4860:4860::8888.53: 15010+ [1au] A? www.google.com. (55)
16:48:53.668845 IP6 2001:4860:4860::8888.53 > 2a01:4f8:221:181::2.62706: 15010 1/0/1 A 216.58.206.4 (59)
16:48:58.744154 IP6 2a01:4f8:221:181::2.62706 > 2001:4860:4860::8888.53: 15010+ [1au] A? www.google.com. (55)
16:48:58.764794 IP6 2001:4860:4860::8888.53 > 2a01:4f8:221:181::2.62706: 15010 1/0/1 A 216.58.206.4 (59)
^C
The request seems to have gone through just fine but my dig client times out.
I change the ruleset to include
pass in quick on re0 inet6 proto tcp from any port = 53
pass in quick on re0 inet6 proto udp from any port = 53
and then I'm obviously able to get a response from the server.
tcpdump -nnn host 2001:4860:4860::8888
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:47:36.738177 IP6 2a01:4f8:221:181::2.40852 > 2001:4860:4860::8888.53: 54683+ [1au] A? www.google.com. (55)
16:47:36.751447 IP6 2001:4860:4860::8888.53 > 2a01:4f8:221:181::2.40852: 54683 1/0/1 A 172.217.18.164 (59)