Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 23 Nov 2014 14:10:24 +0100
From:      Niklaas Baudet von Gersdorff <niklaas@kulturflatrate.net>
To:        Robin Geuze <robing@transip.nl>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject:   Re: Configuring PF with Jails only having IPv6
Message-ID:  <20141123131024.GC2833@len-x61s.klaas>
In-Reply-To: <54709CEE.2090800@bluerosetech.com> <AM3PR02MB03919B240CBCB1009066B47BAA740@AM3PR02MB0391.eurprd02.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Robin Geuze [2014-11-22 12:55 +0000] :

> IPv6 uses icmp6 to trqnsmit ndp packets. Ndp is basically the ipv6
> version of arp. Based on your packet dump it seems your server is
> trying to figure out the mac address for the router for ipv6 but is
> disallowed by your pf rules. "pass in quick icmp6 from any to any" and
> "pass out quick icmp6 from any to any" should fix your problem.

Thank you for the explanation.

Darren Pilgrim [2014-11-22 06:25 -0800] :

> Or just "pass quick icmp6 from any to any".

Yes what I finally use is

    pass quick proto icmp6 all

which should be the same.

> You should limit the types, though.  See RFC 4890.  In short, allow
> types 1, 2, 3, 4, 128, 129, 135, and 136 universally.  If you use
> router advertisements, add types 133 and 134.

OK, thank you very much. I'll update above line to only allow passing
these.

After applying this I could connect to the jail without any problem. So,
thank you very much. Nonetheless there was no outbound connection from
the jail possible. Luckily, I just solved this. It was the following
entry that caused problems:

    pass out on $ext_if proto tcp all modulate state

Because it looks like that it's not possible to use modulate state with
IPv6, as shortly stated here:

    https://forums.freebsd.org/threads/9-1-and-outgoing-tcp6-operation-timed-out.36595/#post-202506

Thanks again and best,

-- 
Niklaas

Baudet von Gersdorff
niklaas@kulturflatrate.net

http://www.twitter.com/NBvGersdorff
http://www.kulturflatrate.net/niklaas

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141123131024.GC2833>