From nobody Fri Aug 23 09:09:06 2024 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WqvQB6chPz5St0C for ; Fri, 23 Aug 2024 09:09:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WqvQB5PM5z4TRD for ; Fri, 23 Aug 2024 09:09:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1724404146; a=rsa-sha256; cv=none; b=E1gWERisWcf2Rm3mjMWHbbJMEXEIalBR98burIvLfExp+wMnOy29QHNwxVGsvcgOHE21DH s2DYawzW0MrtepCXu7+AXn6GWjtmivpZxrHPjx8luaVY624srlLqDxeN6N03C2qDD1yA20 1vdvA5UsLSRYh5eixyWlwDekiFdOwY/iLdlzMUAzVW8lrCLmja3phrr7i1weo5UTB2Yy4f pobONabtWWqiJQ6/twqrGKU7yxOYIyVQ20obCk+/uS+a4oekwvKdj4zqepAGbQRnBnj2Gc LSkAl725C0gRZ8lqe3dcgFxwVAIbNjJovOyAYivs4K79t3O83mT2IcjuuHj8Kw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1724404146; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=abAu9oecA8eJd29IRNRrH+yLKV1/Xlkb6nWtIeZyg2I=; b=or8I6jjUy95PeGxw/Mu79Izzc5u8p9JXqci+sukSuPj92QlbcvzhFDuq3ng9SbRlr/7fcb iOal590RmE4Cmob5zVFk/+SmJDbE+5WMTKTUFR4vzY0t9+V2kR5bLTk7gkgprMCHtEwXkm 8xfkNiFE+OGmoEv+cgMecJTiIskSS6BAiKgNhVwu4S6IzQcZKnZmyb2LdwTVZ6/OHiPEm4 km+3BKSQvFAcdukEJBv/1U1pZrTrA7nxilu40HDm9xeO3FO5A3YqJQPma6e9pUSLZzZek5 pYe4cSkjOXWEeD1dpghh8WfaOIjdexXAB4H5YoUE3Iw6Dn90Ek5naQHCyJPoXQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WqvQB51dQz14cf for ; Fri, 23 Aug 2024 09:09:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 47N9960l019538 for ; Fri, 23 Aug 2024 09:09:06 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 47N996dF019537 for net@FreeBSD.org; Fri, 23 Aug 2024 09:09:06 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute) Date: Fri, 23 Aug 2024 09:09:06 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 14.1-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: doktornotor@mailinator.com X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280701 --- Comment #40 from doktornotor --- Ok, so... let's recap this: What original SA deals with - let me quote: "When pf is configured to allow ND and block incoming Echo Requests, a crafted Echo Request packet after a Neighbor Solicitation (NS) can trigger an Echo Reply." This is "fixed" by a series of patches which cause the regression described here, among others.=20 Even after fixing the regression by another series of patches, people still report that this caused yet more regressions, which directly match the area touched by the original "issue" described in the SA. That is, breaks ND/NS = (see Comment #31 and following). Additionally, people report that ONLY reverting all the patches to the state before this "pressing" "security" issue of responding to ping - unnoticed by anyone from 2009 at least, let alone exploited (for what exactly?) - gets things back to working state without regressions. The response here - downstream issue, lets close it. Between the breakage caused here and responding to pings, it's everyone's g= uess what users prefer. The original "security" "issue" has caused zero problems= for 15+ years. Something's not responding to pings - yeah, there's a box with a firewall in place blocking ping. If there was no computer with given address connected, the evil attacker crafting the packets as per the SA would get I= CMP Destination Unreachable (ICMP Type 3) with one of the codes (such as 0 - net unreachable, 1 - host unreachable ... etc). Blocking pings actually confirms the computer is there, up and running. The only thing blocking responses to ping does - make basic networking diagnostics / troubleshooting a PITA. How's this whole thing a security issue deserving an SA and urgent patching causing the above regressions which are impacting real network operation and many users, goes beyond me, sorry.=20 Once upon a time, common sense was in used, as documented by http://www.faqs.org/rfcs/rfc1122.html - 3.2.2.6. Back to the drawing board. Sigh. Have a nice day. --=20 You are receiving this mail because: You are the assignee for the bug.=