From owner-freebsd-questions@FreeBSD.ORG Fri Feb 22 00:36:01 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D8A216A401 for ; Fri, 22 Feb 2008 00:36:01 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: from hal.rescomp.berkeley.edu (hal.Rescomp.Berkeley.EDU [169.229.70.150]) by mx1.freebsd.org (Postfix) with ESMTP id 6812313C447 for ; Fri, 22 Feb 2008 00:36:01 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: by hal.rescomp.berkeley.edu (Postfix, from userid 1225) id 4A2E53C042D; Thu, 21 Feb 2008 16:36:01 -0800 (PST) Date: Thu, 21 Feb 2008 16:36:01 -0800 From: Christopher Cowart To: Colin Brace Message-ID: <20080222003601.GN88015@hal.rescomp.berkeley.edu> Mail-Followup-To: Colin Brace , freebsd-questions@freebsd.org References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="yK/6QRnH3Zanb0EF" Content-Disposition: inline In-Reply-To: Organization: RSSP-IT, UC Berkeley User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-questions@freebsd.org Subject: Re: PF vs. ping6 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2008 00:36:01 -0000 --yK/6QRnH3Zanb0EF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 22, 2008 at 01:14:55AM +0100, Colin Brace wrote: > Hi all, >=20 > I am trying to set up a IPv6 tunnel following the instructions in the > handbook . > aiccu starts ok: >=20 > # sixxs-aiccu start > Tunnel Information for T14342: > POP Id : nlams05 > IPv6 Local : xxxxxxxxxxxxxxxxx2/64 > IPv6 Remote : xxxxxxxxxxxxxxxxx1/64 > Tunnel Type : 6in4-heartbeat > Adminstate : enabled > Userstate : enabled >=20 > I can ping6 localhost, I can ping6 the tunnel begin point (local), but > I can't ping6 the (remote) end point. Firing up tcpdump, I see that > the firewall is blocking the ping packets. >=20 > I have these (provisional) rules at the top of the filter section in PF: >=20 > pass quick on fxp0 inet6 # ext if I don't use pf, but I'm guessing from the man page that you may need to try: pass quick on fxp0 proto 41 You might be able to substitue 41 with the symbolic name in /etc/protocols (ipv6). Note that you're trying to match the "protocol" field of an IPv4 address which, for the majority of internet traffic, is tcp, udp, or icmp; in this case its ipv6, because the contents of your IPv4 packets are the tunneled v6 packets. I think 'pass quick on fxp0 inet6' is checking against the type of the outer packet, which is actually an IPv4 packet. Good luck, --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --yK/6QRnH3Zanb0EF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iQIVAwUBR74Y8SPHEDszU3zYAQK6/A/+MSxC5jJUBKg57HDp9sywz9hFSffm2tAX DTi8Byp7/PVIj95tIBYFtB96zJyNs2QMcs9lVDCzNUSltN29+K0W2dnOAys+fnZX GMoNZTsBPdF5fJ9ADBv6RQRV+mcHqomJl1pzSR+/i9tI17HL5Kf/8O729ToeyEI+ lCSRLAKB4F87Yk2m4BSHBtU2fJGrlOVLWZldmwnIGiqErFgvrKTQQWkv0Sf2tXYH kpcU9wugWYw0bUa8QQ12zzv/JoNSMpI2hOAlYuUn3cT7ie4tIblbdrCA43zR+1Wu uqqVGqESvvH7lfoiTYHQE1QfqrMkf5eFVJWy0FqnYx2hG1qv7swbhjX0jt7nSeIj rkLLlF47RQ0QDTBE+xrJB+BxWDKYrRuXiWnMWij51WGYlNS+C9WK+de6sYUN1n48 mdMPwoktDDh5h7eHKJiO8jm5Jw7atgeD4My09LIWNw5nJyX+Of05ZxDZNDhJc3gV mJlN0XsSgkadohrUcprBqgLEQ93lgH4wns3Ov4c3fSvjU+gErbl3Y07lpONTklWK Dz5V8SBeK9avuiR6POhUVWR87Rnau98mONOAvGu66d2xG5QKJ6HsjZxPM25hojpt ypmoivALg7TlhMFkUmxMydG4Y6q9Patl7Sn0DK+csb2WN4GK9+Nlafrn/D1LjluR SOhexGwv4Cs= =zPtS -----END PGP SIGNATURE----- --yK/6QRnH3Zanb0EF--