From owner-freebsd-pf@FreeBSD.ORG Wed Jan 5 03:23:59 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29CB316A4CE for ; Wed, 5 Jan 2005 03:23:59 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BEBB43D54 for ; Wed, 5 Jan 2005 03:23:58 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id j053NNAh065360 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 5 Jan 2005 12:23:24 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id j053NuO6008302 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 5 Jan 2005 12:23:56 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id j053NpKu008301; Wed, 5 Jan 2005 12:23:51 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Wed, 5 Jan 2005 12:23:51 +0900 From: Pyun YongHyeon To: Hideki Yamamoto Message-ID: <20050105032351.GA8022@kt-is.co.kr> References: <20041230.232305.71087886.yamamoto436@oki.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041230.232305.71087886.yamamoto436@oki.com> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: pf NAT function with IPv6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2005 03:23:59 -0000 On Thu, Dec 30, 2004 at 11:23:05PM +0900, Hideki Yamamoto wrote: > > Hi, > > I tried to use pf to change source address of IPv6 UDP packet, but it does not go well. > As the output of 'pfctl' command seems no problem. > I wonder if pf on FreeBSD does not support IPv6 now. > AFAIK, No. pf is the only firewall that supports (almost) full IPv6 in BSDs. > > ---------- /etc/pf.conf ------------- start > ext_if="bge2" > int_if="bge0" > internal_net="fec0:0:0:d::0/32" > nat on bge2 inet6 from fec0:0:0:d::1 to any -> 2001:b90:ee00:ff0b::1:3 > ---------- /etc/pf.conf ------------- end > > tsrmldgw3# pfctl -s state > No ALTQ support in kernel > ALTQ related functions disabled > self udp fec0:0:0:d::1[15001] -> 2001:b90:ee00:ff0b::1:3[52925] -> 2001:b90:ee00:51b:208:4ff:fe28:a1d2[8001] > SINGLE:NO_TRAFFIC > Works here. Tested on FreeBSD-CURRENT sparc64 mars# pfctl -ss self tcp fec0:0:0:d::1[49152] -> 2001:b90:ee00:ff0b::1[51223] -> 2001:b90:ee00:ff0b::10[22] ESTABLISHED:ESTABLISHED self tcp fec0:0:0:d::1[22] <- 2001:b90:ee00:ff0b::1[22] <- 2001:b90:ee00:ff0b::10[49154] ESTABLISHED:ESTABLISHED mars# pfctl -sr pass in on hme0 inet6 proto tcp all flags S/SA keep state pass out on hme0 inet6 proto tcp all flags S/SA keep state mars# pfctl -sn nat on hme0 inet6 proto tcp from ! (hme0) to any -> 2001:b90:ee00:ff0b::1 rdr on hme0 inet6 proto tcp from any to any port = ssh -> fec0:0:0:d::1 port 22 Due to lack of hardware and IPv6 setup I tested ssh connection. But there is no reason UDP don't work. -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org