Re: ipfilter ipv6 icmp woes

To: Roy Marples <roy%marples.name@localhost>
Subject: Re: ipfilter ipv6 icmp woes
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Thu, 27 Aug 2009 00:09:36 +0200

On Fri, Aug 21, 2009 at 08:58:47PM +0100, Roy Marples wrote:
> Hi List
> 
> ipmon keeps showing me this
> 
> 21/08/2009 20:54:23.959911 ath0 @0:2 b :: -> ff02::16 PR icmpv6 len 48 96 
> icmpv6 icmpv6type(143)/0 IN low-ttl multicast
> 21/08/2009 20:54:24.666009 ath0 @0:2 b fe80::209:5bff:fe84:887d -> ff02::1 PR 
> icmpv6 len 40 104 icmpv6 routeradvert/0 IN multicast
> 
> Here' my config

There are some redondant/useless rules here:

> 
> uberserver$ sudo ipfstat -nio6
> @1 pass out quick all head 601
> @2 block out log quick all
> # Group 601
> @1 pass out quick on lo0 all group 601
> @2 pass out quick all keep state group 601
> @1 pass in quick all head 600
> @2 block in log quick all
> @3 pass in quick from 2a01:348:31::/48 to any keep state

as you have a quick in @2, @3 won't ever match.

> # Group 600
> @1 pass in quick on lo0 all group 600
> @2 pass in quick proto tcp/udp from any to any port = domain keep state group 
> 600
> @3 pass in quick proto tcp from any to any port = git keep state group 600
> @4 pass in quick proto tcp from any to any port = ftp keep state group 600
> @5 pass in quick proto tcp from any to any port = ftp-data keep state group 
> 600
> @6 pass in quick proto tcp from any to any port = ident keep state group 600
> @7 pass in quick proto tcp from any to any port = imap keep state group 600
> @8 pass in quick proto tcp from any to any port = rsync keep state group 600
> @9 pass in quick proto tcp from any to any port = ssh keep state group 600
> @10 pass in quick proto tcp from any to any port = smtp keep state group 600
> @11 pass in quick proto tcp from any to any port = http keep state group 600
> @12 pass in quick proto tcp from any port = ftp-data to any port > 1023 keep 
> state group 600
> @13 pass in quick proto ipv6-icmp from any to any keep state group 600
> @14 pass in quick from any to ff02::/16 keep state group 600
> @15 block in log all group 600
> 
> What did I miss or do wrong?

I would remove the "keep state" for ipv6-icmp and ff02::/16 and add
appropriate rules in the 601 group. "keep state" is asking for troubles
with icmp, because there's not much to identify them. 

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

Follow-Ups:
- Re: ipfilter ipv6 icmp woes
  - From: Roy Marples

References:
- ipfilter ipv6 icmp woes
  - From: Roy Marples

Prev by Date: Simple unzip(1) replacement
Next by Date: Re: Add a minimal instance of named early in the boot
Previous by Thread: ipfilter ipv6 icmp woes
Next by Thread: Re: ipfilter ipv6 icmp woes
Indexes:

Home | Main Index | Thread Index | Old Index