pf/pfctl loading CIDR tables & IPv6

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

pf/pfctl loading CIDR tables & IPv6

freebsd-security mailing list
Hello List!

Hoping someone might be able to shed some light on this and get to a conclusion faster than I have time for right now.


But while loading a CIDR formatted list with ‘#’ comments from [1] I am getting the following error for multiple entries >10 and results in the only the partial list being loaded into the table… The settings to download the file[2] are from the Russian Federation, IPv6 and in CIDR format.

“ (pfctl -v -t blacklist -T add -f […]
No ALTQ support in kernel
ALTQ related functions disabled
no IP address found for 2001:BB6:6A10:4200:58D7:5934:7
pfctl: cannot load Downloads/cidr-3ffe1c0826f41fbdced334355b66202c.txt: Undefined error: 0
"

This happens both on FreeBSD 12-STABLE r367639 and the latest macOS Big Sur

1. https://www.ip2location.com/free/visitor-blocker
2. https://www.dropbox.com/s/8efctv56j6ocrbv/Screen%20Shot%202020-11-14%20at%2010.52.07.png?dl=0


Appreciate any feedback on this and willing to test any patches to resolve this situation.


Thank you

--

J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.






_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: pf/pfctl loading CIDR tables & IPv6

freebsd-security mailing list
I should also note here that after modifying the file and removing the offending information there was also another error where “/“ character was being tested and failed for IPv6 but I do not have that error available ATM.

> On Nov 14, 2020, at 10:58, J. Hellenthal <[hidden email]> wrote:
>
> Hello List!
>
> Hoping someone might be able to shed some light on this and get to a conclusion faster than I have time for right now.
>
>
> But while loading a CIDR formatted list with ‘#’ comments from [1] I am getting the following error for multiple entries >10 and results in the only the partial list being loaded into the table… The settings to download the file[2] are from the Russian Federation, IPv6 and in CIDR format.
>
> “ (pfctl -v -t blacklist -T add -f […]
> No ALTQ support in kernel
> ALTQ related functions disabled
> no IP address found for 2001:BB6:6A10:4200:58D7:5934:7
> pfctl: cannot load Downloads/cidr-3ffe1c0826f41fbdced334355b66202c.txt: Undefined error: 0
> "
>
> This happens both on FreeBSD 12-STABLE r367639 and the latest macOS Big Sur
>
> 1. https://www.ip2location.com/free/visitor-blocker
> 2. https://www.dropbox.com/s/8efctv56j6ocrbv/Screen%20Shot%202020-11-14%20at%2010.52.07.png?dl=0
>
>
> Appreciate any feedback on this and willing to test any patches to resolve this situation.
>
>
> Thank you
>
> --
>
> J. Hellenthal
>
> The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
>
>
>
>
>
>


--

J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.






_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: pf/pfctl loading CIDR tables & IPv6

John-Mark Gurney-2
In reply to this post by freebsd-security mailing list
J. Hellenthal via freebsd-security wrote this message on Sat, Nov 14, 2020 at 10:58 -0600:
> Hoping someone might be able to shed some light on this and get to a conclusion faster than I have time for right now.
>
>
> But while loading a CIDR formatted list with ???#??? comments from [1] I am getting the following error for multiple entries >10 and results in the only the partial list being loaded into the table??? The settings to download the file[2] are from the Russian Federation, IPv6 and in CIDR format.
>
> ??? (pfctl -v -t blacklist -T add -f [???]
> No ALTQ support in kernel
> ALTQ related functions disabled
> no IP address found for 2001:BB6:6A10:4200:58D7:5934:7

Well, this isn't a valid ipv6 address.  There are only 7 segments,
where as an ipv6 address needs 8.  There is not a :: to fill out the
missing segment.

--
  John-Mark Gurney Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: pf/pfctl loading CIDR tables & IPv6

freebsd-security mailing list
Well shoot! I don’t even think about going down that rabbit hole. Thank you.

Wondering if it be more useful tho to skip past those formatting errors to continue reading the rest of the list instead of just discarding the results and not loading the remainder.

I’ll be in touch with ip2locatiin as well

--
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.

> On Nov 14, 2020, at 12:39, John-Mark Gurney <[hidden email]> wrote:
>
> J. Hellenthal via freebsd-security wrote this message on Sat, Nov 14, 2020 at 10:58 -0600:
>> Hoping someone might be able to shed some light on this and get to a conclusion faster than I have time for right now.
>>
>>
>> But while loading a CIDR formatted list with ???#??? comments from [1] I am getting the following error for multiple entries >10 and results in the only the partial list being loaded into the table??? The settings to download the file[2] are from the Russian Federation, IPv6 and in CIDR format.
>>
>> ??? (pfctl -v -t blacklist -T add -f [???]
>> No ALTQ support in kernel
>> ALTQ related functions disabled
>> no IP address found for 2001:BB6:6A10:4200:58D7:5934:7
>
> Well, this isn't a valid ipv6 address.  There are only 7 segments,
> where as an ipv6 address needs 8.  There is not a :: to fill out the
> missing segment.
>
> --
>  John-Mark Gurney                Voice: +1 415 225 5579
>
>     "All that I will do, has been done, All that I have, has not."
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: pf/pfctl loading CIDR tables & IPv6

John-Mark Gurney-2
J. Hellenthal wrote this message on Sat, Nov 14, 2020 at 12:49 -0600:
> Well shoot! I don???t even think about going down that rabbit hole. Thank you.

> >> no IP address found for 2001:BB6:6A10:4200:58D7:5934:7

The `no IP address found for` triggered my, it's trying to do a name
lookup thought process, but that'd only happen if it wasn't a valid
address..

> Wondering if it be more useful tho to skip past those formatting errors to continue reading the rest of the list instead of just discarding the results and not loading the remainder.

Don't have a strong opinion on this...

> I???ll be in touch with ip2locatiin as well
>
> --
>  J. Hellenthal
>
> The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
>
> > On Nov 14, 2020, at 12:39, John-Mark Gurney <[hidden email]> wrote:
> >
> > ???J. Hellenthal via freebsd-security wrote this message on Sat, Nov 14, 2020 at 10:58 -0600:
> >> Hoping someone might be able to shed some light on this and get to a conclusion faster than I have time for right now.
> >>
> >>
> >> But while loading a CIDR formatted list with ???#??? comments from [1] I am getting the following error for multiple entries >10 and results in the only the partial list being loaded into the table??? The settings to download the file[2] are from the Russian Federation, IPv6 and in CIDR format.
> >>
> >> ??? (pfctl -v -t blacklist -T add -f [???]
> >> No ALTQ support in kernel
> >> ALTQ related functions disabled
> >> no IP address found for 2001:BB6:6A10:4200:58D7:5934:7
> >
> > Well, this isn't a valid ipv6 address.  There are only 7 segments,
> > where as an ipv6 address needs 8.  There is not a :: to fill out the
> > missing segment.

--
  John-Mark Gurney Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"