From owner-freebsd-pf@FreeBSD.ORG Thu Jul 31 16:26:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 217101065675 for ; Thu, 31 Jul 2008 16:26:54 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id ACD3E8FC08 for ; Thu, 31 Jul 2008 16:26:53 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-021-193.pools.arcor-ip.net [88.66.21.193]) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis) id 0MKwtQ-1KOazM1WY2-0000cy; Thu, 31 Jul 2008 18:26:52 +0200 Received: (qmail 47107 invoked from network); 31 Jul 2008 16:26:51 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by ns1.laiers.local with SMTP; 31 Jul 2008 16:26:51 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 31 Jul 2008 18:26:51 +0200 User-Agent: KMail/1.9.52 (FreeBSD/8.0-CURRENT; KDE/4.0.83; i386; ; ) References: <20080731153506.GA61317@arved.priv.at> In-Reply-To: <20080731153506.GA61317@arved.priv.at> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200807311826.51457.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+HzWxLl05THyWRlWQIiikbtlJ4zG6Olbj7xgF YRVZiDQat4CMQDxcL11duxJHLWAbjDxMwYRlnzykPVlM4gXuoj JxY8rLbX9woQJU2MkQGDw== Cc: Tilman Linneweh Subject: Re: pf dropping packets despite pass all rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2008 16:26:54 -0000 On Thursday 31 July 2008 17:35:06 Tilman Linneweh wrote: > Hi list, > > My setup: > > LAN -> Router with PF <- gif tunnel with IPSEC -> Server > > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, > but TCPv6 from LAN to Server does not work, unless i disable PF. > > Excerpt from pf.conf: > pass in quick on gif0 all keep state > pass out quick on gif0 all keep state > > pflog0 contains some strange packets: > http://arved.priv.at/~arved/strangepackets.pcap That dump is useless, please cap with "-s0". > IPSEC_FILTERTUNNEL does not make a difference. > > I don't understand why pf is dropping something on gif0. And i can't decode > what kind of packets these are, and why they are necessary for TCPv6. > > Any ideas? I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you really want to trust gif0 completely, you could simply add "skip on gif0" and pf will not mess with it at all. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News