Date: Wed, 26 Jul 2006 16:30:21 GMT From: Daniel Hartmeier <daniel@benzedrine.cx> To: freebsd-bugs@FreeBSD.org Subject: Re: misc/100879: PF on Freebsd 6.1-STABLE doesn't block IPv6 Message-ID: <200607261630.k6QGULWF016141@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/100879; it has been noted by GNATS.
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Remko Catersels <sirdice@xs4all.nl>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: misc/100879: PF on Freebsd 6.1-STABLE doesn't block IPv6
Date: Wed, 26 Jul 2006 18:27:30 +0200
On Wed, Jul 26, 2006 at 11:33:25AM +0000, Remko Catersels wrote:
> Compiled a kernel with INET6 support. Added device pf and pflog. Configured IPv6 using a tunnel broker supplied by my ISP. IPv6 fully functional. Internal machines all have a global IPv6 address. Added a block in on $ext_if inet6 from any to any. Reloaded pf.conf. I can still ping all the machines behind the firewall via IPv6.
That blocks IPv6 packets on $ext_if. Maybe what is passing on $ext_if is
not actually native IPv6 packets, but encapsulated IPv6-in-IPv4 packets
("inet proto ipv6" in pf syntax)? And you need to filter the native IPv6
packets after decapsulation on the virtual tunnel interface, like gif(4)?
When in doubt, tcpdump ;)
Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607261630.k6QGULWF016141>