From owner-freebsd-pf@FreeBSD.ORG Sun Nov 23 13:09:30 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 01B47E1A for ; Sun, 23 Nov 2014 13:09:30 +0000 (UTC) Received: from mail.kulturflatrate.net (mail.kulturflatrate.net [46.163.119.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 883E929F for ; Sun, 23 Nov 2014 13:09:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.kulturflatrate.net (Postfix) with ESMTP id BE9CFF5AC0E2; Sun, 23 Nov 2014 14:09:20 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at kulturflatrate.net X-Spam-Flag: NO X-Spam-Score: -1.414 X-Spam-Level: X-Spam-Status: No, score=-1.414 required=6.31 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, FAKE_REPLY_C=1.486] autolearn=ham Received: from mail.kulturflatrate.net ([127.0.0.1]) by localhost (mail.kulturflatrate.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ClSliMI77WVu; Sun, 23 Nov 2014 14:09:19 +0100 (CET) Received: from len-x61s.klaas (15.210.broadband18.iol.cz [109.81.210.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kulturflatrate.net (Postfix) with ESMTPSA id 32CCCF5AC0DA; Sun, 23 Nov 2014 14:09:19 +0100 (CET) Received: by len-x61s.klaas (Postfix, from userid 1000) id 410DAE608B; Sun, 23 Nov 2014 14:10:24 +0100 (CET) Date: Sun, 23 Nov 2014 14:10:24 +0100 From: Niklaas Baudet von Gersdorff To: Robin Geuze , "freebsd-pf@freebsd.org" Subject: Re: Configuring PF with Jails only having IPv6 Message-ID: <20141123131024.GC2833@len-x61s.klaas> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <54709CEE.2090800@bluerosetech.com> X-PGP-Key: http://www.kulturflatrate.net/niklaas/niklaas-baudet-von-gersdorff.asc User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2014 13:09:30 -0000 Robin Geuze [2014-11-22 12:55 +0000] : > IPv6 uses icmp6 to trqnsmit ndp packets. Ndp is basically the ipv6 > version of arp. Based on your packet dump it seems your server is > trying to figure out the mac address for the router for ipv6 but is > disallowed by your pf rules. "pass in quick icmp6 from any to any" and > "pass out quick icmp6 from any to any" should fix your problem. Thank you for the explanation. Darren Pilgrim [2014-11-22 06:25 -0800] : > Or just "pass quick icmp6 from any to any". Yes what I finally use is pass quick proto icmp6 all which should be the same. > You should limit the types, though. See RFC 4890. In short, allow > types 1, 2, 3, 4, 128, 129, 135, and 136 universally. If you use > router advertisements, add types 133 and 134. OK, thank you very much. I'll update above line to only allow passing these. After applying this I could connect to the jail without any problem. So, thank you very much. Nonetheless there was no outbound connection from the jail possible. Luckily, I just solved this. It was the following entry that caused problems: pass out on $ext_if proto tcp all modulate state Because it looks like that it's not possible to use modulate state with IPv6, as shortly stated here: https://forums.freebsd.org/threads/9-1-and-outgoing-tcp6-operation-timed-out.36595/#post-202506 Thanks again and best, -- Niklaas Baudet von Gersdorff niklaas@kulturflatrate.net http://www.twitter.com/NBvGersdorff http://www.kulturflatrate.net/niklaas