 Re: PF IPv6/icmp6/inet6 vulnerabilities continue.
Borked Pseudo Mailed wrote:
[...]
> I am FAR MORE concerned about the 3 or more packets that
> regularly pass out of my system at each boot and reboot.
> These packets are SPECIAL and PRIVILEGED , they can pass
> out through PF regularly as if PF did-not-exist-for-them.
> PF cannot log these 3 packets. PF cannot control these
> packets in any way , the most I can get from PF is as a
> pfctl -si statistic. The equivalent of "PF has failed to
> stop these packets , PF has failed to log these packets , PF
> has passed these packets out despite any firewall you thought
> you were using". If I use PF to directly protect me from
> WAN traffic , what is to stop someone from bombarding me with
> infinite numbers of these packets (and any other similarly
> affected "SPECIAL" and "PRIVILEGED" packets). PF cannot block
> these packets , PF cannot even log these packets. PF has no
> defense against these packets. The only thing PF might be able
> to give me is pfctl -si statistics , informing me of exactly how
> many unstoppable/unidentified IPv6 packets it was unable to stop.
> Very helpful.
>
Have you tried to see if tweaking the /etc/rc file magically gets you
what you want?
If PF is enabled, it is started with a set of rules early on in the
startup process.
I imagine that this /might/ have something to do with the behaviour you
are seeing:
....
if ifconfig lo0 inet6 >/dev/null 2>&1; then
RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type neighbrsol"
RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type neighbradv"
RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type routersol"
RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv"
....
These might the neighbour discovery packets we've been told about. The
type names match up reasonably with the neighbour discovery notes in RFC
2461. The only one missing is "Redirect", which probably doesn't make a
whole lot of sense as these would likely be coming in on an interface
from another host in response to one or more of these four discovery
packets.
I have no idea what the fallout might be if you comment these out, but I
suspect if you do so, you will not see the traffic you mention.
 |