NetBSD Problem Report #29665
From tron@colwyn.zhadum.de Sat Mar 12 01:25:30 2005
Return-Path: <tron@colwyn.zhadum.de>
Received: from colwyn.zhadum.de (colwyn.zhadum.de [81.187.181.114])
by narn.netbsd.org (Postfix) with ESMTP id 09F8063B116
for <gnats-bugs@gnats.NetBSD.org>; Sat, 12 Mar 2005 01:25:30 +0000 (UTC)
Message-Id: <200503120125.j2C1PSrp008530@lyssa.zhadum.de>
Date: Sat, 12 Mar 2005 01:25:28 GMT
From: Matthias Scheler <tron@colwyn.zhadum.de>
Reply-To: tron@colwyn.zhadum.de
To: gnats-bugs@netbsd.org
Subject: IPFilter doesn't send out TCP-RST packets via IPv6
X-Send-Pr-Version: 3.95
>Number: 29665
>Category: kern
>Synopsis: IPFilter doesn't send out TCP-RST packets via IPv6
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Mar 12 01:26:00 +0000 2005
>Closed-Date: Mon May 30 18:47:55 +0000 2005
>Last-Modified: Mon May 30 18:47:55 +0000 2005
>Originator: Matthias Scheler
>Release: NetBSD 2.99.16 (2005-03-11 sources)
>Organization:
Matthias Scheler http://scheler.de/~matthias/
>Environment:
System: NetBSD ivanova.zhadum.de 2.99.16 NetBSD 2.99.16 (IVANOVA) #0: Fri Mar 11 17:25:55 GMT 2005 tron@colwyn.zhadum.de:/export/scratch/tron/build.18111a/sys/compile/IVANOVA sparc
Architecture: sparc
Machine: sparc
>Description:
After upgrading my firewall from NetBSD 2.0.1 to 2.99.16 it now longer
sends TCP reset packets to block incoming connections:
> telnet colwyn.zhadum.de
Trying 2001:8b0:114:1::2...
telnet: connect to address 2001:8b0:114:1::2: Connection timed out
Trying 81.187.181.114...
telnet: Unable to connect to remote host: Connection refused
As you can see fromt the output above it still works fine with IPv4:
I use (almost) identical rules for IPv4 and IPv6:
/etc/ipf.conf:
block return-rst in log on hme0 proto tcp from any to any port < 1024
/etc/ipf6.conf:
block return-rst in log on stf0 proto tcp from any to any port < 1024
I've run "tcpdump" on "hme0" to examine the problem and the firewall
didn't send out an answer to the SYN packet.
>How-To-Repeat:
1.) Add a rule like this to "ipf6.conf":
block return-rst in log on stf0 proto tcp from any to any port < 1024
2.) Run "telnet system-protected-by-above-rule".
>Fix:
None provided.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: tron@netbsd.org
State-Changed-When: Mon, 30 May 2005 18:47:55 +0000
State-Changed-Why:
I can now longer reproduce the problem with the machine running a kernel
built from 2005-05-28 sources.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.