NetBSD Problem Report #29665

From tron@colwyn.zhadum.de  Sat Mar 12 01:25:30 2005
Return-Path: <tron@colwyn.zhadum.de>
Received: from colwyn.zhadum.de (colwyn.zhadum.de [81.187.181.114])
	by narn.netbsd.org (Postfix) with ESMTP id 09F8063B116
	for <gnats-bugs@gnats.NetBSD.org>; Sat, 12 Mar 2005 01:25:30 +0000 (UTC)
Message-Id: <200503120125.j2C1PSrp008530@lyssa.zhadum.de>
Date: Sat, 12 Mar 2005 01:25:28 GMT
From: Matthias Scheler <tron@colwyn.zhadum.de>
Reply-To: tron@colwyn.zhadum.de
To: gnats-bugs@netbsd.org
Subject: IPFilter doesn't send out TCP-RST packets via IPv6
X-Send-Pr-Version: 3.95

>Number:         29665
>Category:       kern
>Synopsis:       IPFilter doesn't send out TCP-RST packets via IPv6
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 12 01:26:00 +0000 2005
>Closed-Date:    Mon May 30 18:47:55 +0000 2005
>Last-Modified:  Mon May 30 18:47:55 +0000 2005
>Originator:     Matthias Scheler
>Release:        NetBSD 2.99.16 (2005-03-11 sources)
>Organization:
Matthias Scheler                                  http://scheler.de/~matthias/
>Environment:
System: NetBSD ivanova.zhadum.de 2.99.16 NetBSD 2.99.16 (IVANOVA) #0: Fri Mar 11 17:25:55 GMT 2005  tron@colwyn.zhadum.de:/export/scratch/tron/build.18111a/sys/compile/IVANOVA sparc
Architecture: sparc
Machine: sparc
>Description:
After upgrading my firewall from NetBSD 2.0.1 to 2.99.16 it now longer
sends TCP reset packets to block incoming connections:

> telnet colwyn.zhadum.de   
Trying 2001:8b0:114:1::2...
telnet: connect to address 2001:8b0:114:1::2: Connection timed out
Trying 81.187.181.114...
telnet: Unable to connect to remote host: Connection refused

As you can see fromt the output above it still works fine with IPv4:

I use (almost) identical rules for IPv4 and IPv6:

/etc/ipf.conf:
block return-rst in log on hme0 proto tcp from any to any port < 1024

/etc/ipf6.conf:
block return-rst in log on stf0 proto tcp from any to any port < 1024

I've run "tcpdump" on "hme0" to examine the problem and the firewall
didn't send out an answer to the SYN packet.

>How-To-Repeat:
1.) Add a rule like this to "ipf6.conf":

block return-rst in log on stf0 proto tcp from any to any port < 1024

2.) Run "telnet system-protected-by-above-rule".

>Fix:
None provided.

>Release-Note:

>Audit-Trail:

State-Changed-From-To: open->closed
State-Changed-By: tron@netbsd.org
State-Changed-When: Mon, 30 May 2005 18:47:55 +0000
State-Changed-Why:
I can now longer reproduce the problem with the machine running a kernel
built from 2005-05-28 sources.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.