Re: Phantom IPV6-related packets , PF bugs?
This is a discussion on Re: Phantom IPV6-related packets , PF bugs? within the comp.unix.bsd.openbsd.misc forums, part of the OpenBSD category; --> Thanks for the reply Joachim. I'm probably one of the more paranoical OpenBSD users , I do filter (and ...
| |||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-16-2008, 08:46 AM
| ||||
| ||||
 Re: Phantom IPV6-related packets , PF bugs? Thanks for the reply Joachim. I'm probably one of the more paranoical OpenBSD users , I do filter (and otherwise constrain) loop. [Another pfctl -sr excerpt]: pass in quick on lo0 inet from 127.0.0.1 to 127.0.0.1 keep state (no-sync, if-bound) pass out quick on lo0 inet from 127.0.0.1 to 127.0.0.1 keep state (no-sync, if-bound) But I don't think loop is the problem , pfctl -v -s rules lists only 0's for inet/loop (0 evaluations , 0 packets). Remember I use Default Block Drop policies inbound and outbound , and I have absolutely no rules allowing IPV6-related traffic. [Btw , i've been filtering my inet/loop for a year or two now. On my OpenBSD desktop machine there have been no problems or irregularities whatsoever. Maybe heavily-loaded servers would have resource problems but I do not.] I do have the following entries in my /etc/hosts: ::1 myhost myhost 127.0.0.1 myhost myhost I don't see how hosts entries would allow PF to be bypassed. Maybe removing the ::1 entry might preclude the sending of the three packets in question? Or of the two packets that seem to be sent before PF is active? Is there a more appropriate entry to Block Drop all IPV6-and-all-related traffic for pf.conf? I was under the impression that my default block drop policies as well as my explicit protocol-specific block drop rules should have been sufficient. I read through the other recent IPV6 threads only after having sent my post , I didn't notice it at the time. Is there an "inet6" setting for pf.conf that I do not have listed as explicit rules (as per pfctl -sr from my first post)? I always worry about things that do not make sense , i've been meaning to try to trouble-shoot this for some time. Most things , like the DNS leakage in the 4.0-release Firefox version can be filtered by PF (if you don't use DNS otherwise anyway). Packets that cannot be filtered or logged MIGHT be particularly dangerous. If the "packets" were only fragments scrubbing should have dropped them. Btw , my system never attempts to send any additional packets to the ones i've mentioned , no matter how long the machine has been up. It's always two packets sent out before PF , two sent packets being blocked and dropped , and three seemingly successful escapees. I assume they are simply dropped by the internal network's firewall. I prefer to have all of my packets accounted for.      |
Linear Mode
