icmp6 rules for pf do not honour icmp6-type and code

Brought to you by: mikehorn

#271 icmp6 rules for pf do not honour icmp6-type and code

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2014-08-29

Created: 2014-08-29

Creator: Markus Wernig

Private: No

Hi all

fwb 5.1.0.5399, Gentoo Linux ~amd64, compiled from source

When creating rules for OpenBSD's pf (firewall "4.7 or later"), any icmp6 rule will silently ignore the icmp6-type and code, even though they can be set in the GUI (and are set in the corresponding icmp6 service objects in the standard library). The resulting rules simply
read:

pass  quick inet6 proto icmp6  from <src> to <dst> label "RULE XXX -- ACCEPT"

which just opens ANY icmp6, router-solicitation and the like included. This must not happen.

The correct syntax (e.g. for icmp6-dest-unreachable) would be

pass  quick inet6 proto icmp6  from <src> to <dst> icmp6-type 3 code 0

Since this is hidden from the GUI, and no notice appears when compiling, it will result in administrators opening more icmp6 stuff than they believe, leaving them with a less secure firewall.

Kind regards
/markus

icmp6 rules for pf do not honour icmp6-type and code

Group

Searches

Help

#271 icmp6 rules for pf do not honour icmp6-type and code

Discussion