SEO

Thank-you again for your reply Daniel.



Would you like to receive these two icmp6 packets? Would you
like to receive these packets from every OpenBSD machine ,
every time they boot , every time they reboot? I don't like to
spew packets. I try to take as much care in controlling what I send
out as I do with what is sent in. I must also confess that i'm a
bit taken-aback by the notion that OpenBSD is presently
designed to send out packets before my firewall-rules are
loaded. It seems daft. It seems insecure. How
can it be correct?


I'm even more concerned that unwanted icmp6 packets can pass
out through PF , regardless of any loaded firewall-rules.
THESE packets cannot even be logged reliably. Furthermore , the output
of various pfctl commands can't even agree , either
as to how many packets were passed out or as to whether any such
packets were passed out at all (pfctl -si lists passed packets
(netstat -ss displays "sent" packets) , while pfctl -v -s rules hasn't a clue).


In my opinion ipv6 , inet6 , and everything related are dangerous
things to have enabled by DEFAULT on OpenBSD systems. I don't use
them , I don't know anyone else who uses them , I don't fully
understand how they work or interact. I don't know exactly what
types of attacks are possible using them. I wish that there
were an easy way to DISABLE these , either through PF , via a sysctl
setting , or an inet/IPV4-ONLY GENERIC kernel. "Secure by default".


Regarding your comment Daniel , many people do not understand why a
project like OpenBSD would "obsess" over Correctness or Security.
Why bother? :P


Will you be adding this ipv6/inet6 bug to your list of things to look
at , in the fullness-of-time , when you get the chance? If anyone were
to ask me just today , i'd have to tell them that PF cannot block or log
ipv6/inet6 reliably. Every time I boot or reboot my machine such packets
are bypassing both default and explicit firewall-rules and passing to the
outside world. Maybe the packets are being dropped by my internal network's
firewall , maybe not. If my perimeter firewall were PF , it would not be
able to log yet alone block them. I DO NOT KNOW if holes in PF also allow
ipv6/inet6 traffic IN. ??


Thank-you again for you time and effort with regards to PF. I have used
Netfilter in the past and still do occasionally (it has never failed me) ,
but PF is peerless. I do not know of any other firewall that offers the
features and complexity that PF does. I have used PF and OpenBSD via
OpenBSD 4.0 , 3.9 , 3.8 , and I believe 3.7. Only recently have I noticed
problems that really need to be corrected.


I do have a couple of PF feature-requests if you are at all
receptive to these.


1) It would be nice if there were a way to disable PF's OS-Fingerprinting OR
more preferably prevent it from sending it's fingerprint database to /var/log.
I load differing rulesets at different times to control different types of
traffic. Everytime a new ruleset is loaded the contents (in-effect) of
/etc/pf.os is appended to my logs. As a temporary workaround I usually use
a 0-byte version of pf.os. I don't know of any other way to prevent my logs
from being flooded when I change rulesets.


2) It would be handy if PF's OS-Fingerprinting could be used to append
OS-identification (estimations) , along with packet information , to pflog.
My perimeter firewall gets pelted with so many packets on an average day , if
I were using PF to also protect my internal network (which I should be doing) ,
it would be helpful to know which OS's "might" be generating the packets.
I realize that packets can be crafted , and that P0f could probably be
configured to do this , but the code is already within PF.
I might be less concerned about a disparate handful of Windows machines attempting
connections than a large array of Unix and unix-like machines (apparently) making
the same attempts. Of course this ability might also make it easier for me to
discern my own packets in my logs. Please let me know if this is presently
possible , I have never been able to find a way to achieve this.


If you are amenable to a quick question that I have not been able to find
the answer for... ...as regards PF tables , does the number of table-entries
allowed (as set by: "set limit table-entries xxx" (default: 100000))" count
individual addresses and address-blocks the same or would an address-block
like 172.16.0.0/12 be expanded and count as more than 1 entry (as per the limit)?
I've tested random addresses within such tables in the past and assume that
address-blocks only count as 1 towards any limit , but not having seen anything
definitive anywhere , I have always had some doubts.


Best Regards.