Date: Thu, 16 Sep 2004 03:57:39 -0000 From: Pyun YongHyeon <yongari@kt-is.co.kr> To: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: Statefull IPv6 Message-ID: <20031203052724.GA2893@kt-is.co.kr> In-Reply-To: <20031202172034.GB30410@login.ecs.soton.ac.uk> References: <20031202172034.GB30410@login.ecs.soton.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 02, 2003 at 05:20:34PM +0000, Mike Saywell wrote: ... [snip] ... > > However IPv6 pings don't.... In the log I get: > > 63. 384244 rule 12/0(match): pass in on dc1: 2001:630:d0:901::2 > 2001:630:d0:902::2: icmp6: echo request > 000531 rule 0/0(match): block in on dc2: 2001:630:d0:902::2 > 2001:630:d0:901::2: icmp6: echo reply > Hmm... It was blocked. > It's the same for all other traffic too, e.g. ssh: > 000000 rule 12/0(match): pass in on dc1: 2001:630:d0:901::2.42559 > 2001:630:d0:902::2.22: [|tcp] > 000617 rule 0/0(match): block in on dc2: 2001:630:d0:902::2.22 > 2001:630:d0:901::2.42559: [|tcp] > > Also if I dump the state whilst pinging from Zim to Centaur then with > IPv4 I see: > > -su-2.05b# pfctl -ss > icmp 192.168.1.2:22051 -> 192.168.2.2:22051 0:0 > > but when using IPv6 it's blank. :( > Yes, it did not passed any packets. So it should have no entry as expected. > So it seems like "keep state" is only working with IPv4?? > No. It should work for both IPv4 and IPv6. > The full expanded ruleset is: > > block drop in log all > block drop out log all > pass quick on dc0 all > pass quick on lo0 all > pass log quick inet6 from any to fe00::/8 > pass log quick inet6 from any to ff00::/8 > pass log quick on dc1 inet6 from any to fe80::280:c8ff:fec9:9cbe > pass log quick inet from any to 192.168.1.1 > pass log quick inet6 from any to 2001:630:d0:901::1 > pass log quick inet from any to 192.168.2.1 > pass log quick on dc2 inet6 from any to fe80::280:c8ff:fec9:9cbf > pass log quick inet6 from any to 2001:630:d0:902::1 > pass in log on dc1 all > pass out log on dc1 all > pass out log on dc2 all keep state > > Does anybody have any ideas? The setup above should be fairly easy > to re-produce... > This is reproducable on my 5.1R machine. However, it do not happen on 5.2-BETA. If you want to get quick fix, just upgrade to 5.2-BETA. At present, I don't have any clue why pf blocks the packet on 5.1R. I'll take look. > I'll try and get an OpenBSD machine running so I can see if it's a > general pf problem or a FreeBSD specific one... > It seems that it is FreeBSD only problem. > Mike > Thanks for your report. Regards, Pyun YongHyeon -- Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031203052724.GA2893>