Date: Thu, 16 Sep 2004 03:57:34 -0000 From: Mike Saywell <ms@ecs.soton.ac.uk> To: pf4freebsd@freelists.org Subject: [pf4freebsd] Statefull IPv6 Message-ID: <20031202172034.GB30410@login.ecs.soton.ac.uk>
next in thread | raw e-mail | index | archive | help
Hi there,
We're using FreeBSD 5.1 + PF 2.00 (from ports) as an IPv6 firewall,
however I can't seem to make stateful filtering work with IPv6...
I am new to packetfilter so it might just be a misunderstanding on my
part though.
The setup is:
Zim--------Firewall----------Centaur
dc1 dc2
Interfaces:
Zim:
eth0 Link encap:Ethernet HWaddr 00:A0:24:CB:67:44 =20
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: 2001:630:d0:901::2/64 Scope:Global
inet6 addr: fe80::2a0:24ff:fecb:6744/64 Scope:Link
Firewall:
dc1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::280:c8ff:fec9:9cbe%dc1 prefixlen 64 scopeid 0x2=20
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 2001:630:d0:901::1 prefixlen 64=20
dc2: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::280:c8ff:fec9:9cbf%dc2 prefixlen 64 scopeid 0x3=20
inet6 2001:630:d0:902::1 prefixlen 64=20
Centaur:
eth1 Link encap:Ethernet HWaddr 00:50:DA:E0:C7:B2 =20
inet addr:192.168.2.2 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: 2001:630:d0:902::2/64 Scope:Global
inet6 addr: fe80::250:daff:fee0:c7b2/10 Scope:Link
I've added routes on zim and centaur so that they can ping each other
over both IPv4 and IPv6 when pf is disabled.
I'm trying to allow all traffic from Zim and only stateful from Centaur b=
ack in.
Here is my pf.conf:
# Define some interfaces
iam_if =3D "dc0"
one_if =3D "dc1"
two_if =3D "dc2"
# Default deny
block in log all
block out log all
# Pass everything on iam_if since thats how I'm ssh'ed in :)
pass quick on $iam_if all
# Pass traffic on the loopback interface in either direction
pass quick on lo0 all
# Pass link local and multicast traffic
pass quick log from any to fe00::/8
pass quick log from any to ff00::/8
# Allow traffic directly to/from our interfaces
pass quick log from any to { $one_if, $two_if }
# Allow all traffic from/to/between internal ipv6 nets
pass in log on $one_if all
pass out log on $one_if all
# Allow all outbound traffic keeping state
pass out log on $two_if all keep state
IPv4 from Zim to Centaur works fine (as expected), the logs show a pass i=
n each direction:
999348 rule 12/0(match): pass in on dc1: 192.168.1.2 > 192.168.2.2: icmp:=
echo request (DF)
000896 rule 13/0(match): pass out on dc1: 192.168.2.2 > 192.168.1.2: icmp=
: echo reply
However IPv6 pings don't.... In the log I get:
63. 384244 rule 12/0(match): pass in on dc1: 2001:630:d0:901::2 > 2001:63=
0:d0:902::2: icmp6: echo request
000531 rule 0/0(match): block in on dc2: 2001:630:d0:902::2 > 2001:630:d0=
:901::2: icmp6: echo reply
It's the same for all other traffic too, e.g. ssh:
000000 rule 12/0(match): pass in on dc1: 2001:630:d0:901::2.42559 > 2001:=
630:d0:902::2.22: [|tcp]
000617 rule 0/0(match): block in on dc2: 2001:630:d0:902::2.22 > 2001:630=
:d0:901::2.42559: [|tcp]
Also if I dump the state whilst pinging from Zim to Centaur then with
IPv4 I see:
-su-2.05b# pfctl -ss
icmp 192.168.1.2:22051 -> 192.168.2.2:22051 0:0
but when using IPv6 it's blank. :(
So it seems like "keep state" is only working with IPv4??
The full expanded ruleset is:
block drop in log all
block drop out log all
pass quick on dc0 all
pass quick on lo0 all
pass log quick inet6 from any to fe00::/8
pass log quick inet6 from any to ff00::/8
pass log quick on dc1 inet6 from any to fe80::280:c8ff:fec9:9cbe
pass log quick inet from any to 192.168.1.1
pass log quick inet6 from any to 2001:630:d0:901::1
pass log quick inet from any to 192.168.2.1
pass log quick on dc2 inet6 from any to fe80::280:c8ff:fec9:9cbf
pass log quick inet6 from any to 2001:630:d0:902::1
pass in log on dc1 all
pass out log on dc1 all
pass out log on dc2 all keep state
Does anybody have any ideas? The setup above should be fairly easy
to re-produce...
I'll try and get an OpenBSD machine running so I can see if it's a
general pf problem or a FreeBSD specific one...
Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031202172034.GB30410>