Article 993 at 08/11/13 10:36:22 From: akisada@tahi.org Subject: [users:00993] Re: PF problem? PF incompatibility?

Index: [Article Count Order] [Thread]
Date: Thu, 13 Nov 2008 10:34:41 +0900
From: Yukiyo Akisada <akisada@tahi.org>
Subject: [users:00993] Re: PF problem? PF incompatibility?
To: dvillamero_777@yahoo.com
Cc: users@tahi.org
Message-Id: <20081113103441.e6ce2619.akisada@tahi.org>
In-Reply-To: <197705.79017.qm@web57904.mail.re3.yahoo.com>
References: <20081112134247.1c49aab1.akisada@tahi.org>	<197705.79017.qm@web57904.mail.re3.yahoo.com>
X-Mail-Count: 00993

Dominic,

This is the additional information.

You may know that Type 0 RH has been already obsoleted by RFC 5095.
The behavior of Type 0 must be the same as Type 33 which is used in the test #38 and #40.

Thanks,


On Wed, 12 Nov 2008 03:14:30 -0800 (PST)
dominic villamero <dvillamero_777@yahoo.com> wrote:

> Hello Yuki, sorry for the late update...Yes its true, PF is the culprit ^_^.
> We found out that by default PF will drop packets with Routing Header Type 0. So thats why some of the tests FAILED. Well anyways, thanks for the reply and for your help.. ^_^
> 
> dominic
> 
> 
> 
> --- On Wed, 11/12/08, Yukiyo Akisada <akisada@tahi.org> wrote:
> 
> > From: Yukiyo Akisada <akisada@tahi.org>
> > Subject: [users:00989] Re: PF problem? PF incompatibility?
> > To: dvillamero_777@yahoo.com
> > Cc: users@tahi.org
> > Date: Wednesday, November 12, 2008, 12:42 PM
> > Hi, Dominic.
> > 
> > Now, I understand what you said.
> > // I imagined PlatForm or Protocol Familly about PF. :-)
> > 
> > In pure FreeBSD 7.0-RELEASE case on my environment,
> > everything from 38 through 41 is passed with no packet
> > filter configuration
> > as I attached.
> > 
> > Actually, I don't have enough knowledge about Packet
> > Filter,
> > but it might be PF configuration problem or PF itself
> > problem.
> > 
> > Or, did you change something about network configuration
> > using sysctl for example?
> > 
> > Thanks,
> > 
> > 
> > On Tue, 11 Nov 2008 04:19:04 -0800 (PST)
> > dominic villamero <dvillamero_777@yahoo.com> wrote:
> > 
> > > Sorry for the confusion, PF is Packet Filter or in
> > common term, FIREWALL. 
> > > PF I believe started in OpenBSD but has also been used
> > in any other 
> > > operating system like FreeBSD. 
> > > 
> > > As in my case, I'm using PF as my Firewall in NUT
> > which runs on FreeBSD 7.
> > > Unfortunately, I experienced some problems with it. :(
> > > 
> > > As what I've mentioned in my previous post, I got
> > 4 FAILED results in 
> > > Section 1 when I enabled PF(firewall), even if setting
> > a "pass all" rule.:(
> > > 
> > > We soon found out that by default PF blocks packets
> > with IP option set. So, 
> > > to eliminate this problem we added an
> > "allow-opts" rule which allow packets with IP
> > option set.
> > > 
> > > Example:
> > >            "pass all allow-opts"
> > > 
> > > Unfortunately, it only solved 1 problem and that's
> > segment 38 in Section 1.
> > > Segments 39, 40, and 41 remain unsolved. :(
> > > 
> > > Does anyone here knows anything about this issue? Or
> > atleast have encountered this problem? 
> > > 
> > > Is this a PF bug? Or probably I just missed something
> > out?
> > > 
> > > Thanks...
> > > 
> > > dominic
> > > 
> > > 
> > > --- On Tue, 11/11/08, Yukiyo Akisada
> > <akisada@tahi.org> wrote:
> > > 
> > > > From: Yukiyo Akisada <akisada@tahi.org>
> > > > Subject: [users:00986] Re: PF problem? PF
> > incompatibility?
> > > > To: dvillamero_777@yahoo.com
> > > > Cc: users@tahi.org
> > > > Date: Tuesday, November 11, 2008, 6:22 PM
> > > > Hi, Dominic.
> > > > 
> > > > What is "PF" in your word?
> > > > And what is what is "allow-opts"
> > option?
> > > > 
> > > > I have never heard them.
> > > > 
> > > > Please let me be clear.
> > > > 
> > > > 
> > > > On Tue, 11 Nov 2008 02:12:47 -0800 (PST)
> > > > dominic villamero
> > <dvillamero_777@yahoo.com> wrote:
> > > > 
> > > > > Oh my :(, segment 39, 40, and 41 under
> > Section 1: RFC
> > > > 2460 - IPv6 Specification still FAILED. Even
> > setting the
> > > > "allow-opts" option, if anyone knows
> > something
> > > > regarding this concern please enlighten us ^_^.
> > > > > 
> > > > > With "allow-opt" rule, only
> > segment 38
> > > > succeeded...
> > > > > 
> > > > > Hmm...do you think PF is the problem? please
> > > > help..thanks
> > > > > 
> > > > > 
> > > > > =- dominic  
> > > > > 
> > > > > 
> > > > > --- On Fri, 11/7/08, dominic villamero
> > > > <dvillamero_777@yahoo.com> wrote:
> > > > > 
> > > > > > From: dominic villamero
> > > > <dvillamero_777@yahoo.com>
> > > > > > Subject: Re: [users:00980] PF problem?
> > PF
> > > > incompatibility?
> > > > > > To: dvillamero_777@yahoo.com
> > > > > > Cc: users@tahi.org
> > > > > > Date: Friday, November 7, 2008, 2:10 PM
> > > > > > My work mate already solved the
> > problem. Just
> > > > added the
> > > > > > option "allow-opts"
> > > > > > 
> > > > > > example: pass all allow-opts
> > > > > > 
> > > > > > Anyways, thanks 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > --- On Fri, 11/7/08, dominic villamero
> > > > > > <dvillamero_777@yahoo.com> wrote:
> > > > > > 
> > > > > > > From: dominic villamero
> > > > > > <dvillamero_777@yahoo.com>
> > > > > > > Subject: [users:00980] PF problem?
> > PF
> > > > incompatibility?
> > > > > > > To: users@tahi.org
> > > > > > > Date: Friday, November 7, 2008,
> > 4:00 AM
> > > > > > > Hello All, Good day!
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > >      I tried to run the latest
> > version of
> > > > Self_Test
> > > > > > > script on FreeBSD 7-Release
> > against my 
> > > > > > > NUT which was also running on
> > FreeBSD 7. As
> > > > expected,
> > > > > > the
> > > > > > > test ran perfectly fine and 
> > > > > > > resulted a 100% passing rate.
> > > > > > > 
> > > > > > >    To go further with my test I
> > enabled PF
> > > > in NUT and
> > > > > > > configured it to "pass
> > all"
> > > > entering and
> > > > > > exiting
> > > > > > > traffic regardless whether if its
> > ipv6 or
> > > > ipv4.
> > > > > > > Unfortunately, there were 4
> > FAILURES all
> > > > under
> > > > > > "Section
> > > > > > > 1: RFC 2460 - Ipv6
> > Specification"
> > > > specifically
> > > > > > segments
> > > > > > > 
> > > > > > > "Test v6LC.1.2.9:
> > Unrecognized Routing
> > > > Type - End
> > > > > > > Node" and "Test
> > v6LC.1.2.10:
> > > > Unrecognized
> > > > > > Routing
> > > > > > > Type - Intermediate Node"
> > numbers 38,
> > > > 39, 40 and
> > > > > > 41.
> > > > > > > 
> > > > > > > Test v6LC.1.2.9: Unrecognized
> > Routing Type -
> > > > End Node
> > > > > > >     38: Part A: Unrecognized
> > Routing Type 33
> > > >     
> > > > > > > FAIL
> > > > > > >     39: Part B: Unrecognized
> > Routing Type 0 
> > > >      
> > > > > > > FAIL
> > > > > > > 
> > > > > > > Test v6LC.1.2.10: Unrecognized
> > Routing Type
> > > > -
> > > > > > Intermediate
> > > > > > > Node
> > > > > > >     40: Part A: Unrecognized
> > Routing Type 33
> > > >     
> > > > > > > FAIL
> > > > > > >     41: Part B: Unrecognized
> > Routing Type 0 
> > > >      
> > > > > > > FAIL
> > > > > > > 
> > > > > > > So my questions:
> > > > > > >        Is there a known issue
> > regarding
> > > > this?
> > > > > > >       Or am I missing something
> > out? :(
> > > > > > >       If PF is the problem is
> > there a
> > > > workaround?
> > > > > > > 
> > > > > > > I'm just new here, please
> > pardon me if
> > > > those
> > > > > > questions
> > > > > > > had already been asked and 
> > > > > > > answered before...Again I'm so
> > > > sorry...and thank
> > > > > > you
> > > > > > > 
> > > > > > > Test info:
> > > > > > > 
> > > > > > > TN - FreeBSD 7
> > > > > > > NUT - FreeBSD 7
> > > > > > > Test - phase 2
> > > > > > > Type - Host
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > Dominic
> > > > > 
> > > > > 
> > > > >       
> > > > > 
> > > > > 
> > > > 
> > > > 
> > > > -- 
> > > > Yukiyo Akisada <akisada@tahi.org>
> > > 
> > > 
> > >       
> > > 
> > > 
> > 
> > 
> > -- 
> > Yukiyo Akisada <akisada@tahi.org>
> 
> 
>       
> 
> 


-- 
Yukiyo Akisada <akisada@tahi.org>