From owner-freebsd-pf@FreeBSD.ORG Sat Dec 29 14:31:12 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 53665B65 for ; Sat, 29 Dec 2012 14:31:12 +0000 (UTC) (envelope-from trashcan@odo.in-berlin.de) Received: from mx1.enfer-du-nord.net (mx1.enfer-du-nord.net [91.121.60.26]) by mx1.freebsd.org (Postfix) with ESMTP id 141728FC14 for ; Sat, 29 Dec 2012 14:31:11 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: [SOLVED]: nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed out From: Michael Grimm In-Reply-To: Date: Sat, 29 Dec 2012 15:31:03 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <5FA24BDE-D6EE-4C3F-B0DE-BC5CBE9EA7A8@odo.in-berlin.de> References: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de> <50DEDA01.4060103@cyberleo.net> To: "freebsd-pf@freebsd.org" X-Mailer: Apple Mail (2.1499) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Dec 2012 14:31:12 -0000 Hi -- On 29.12.2012, at 13:07, Kimmo Paasiala wrote: > On Sat, Dec 29, 2012 at 1:54 PM, CyberLeo Kitsana = wrote: >> On 12/28/2012 05:59 AM, Michael Grimm wrote: >>> I do run both my primary and secondary nameservers (distinct = servers) in FreeBSD jails1 and jail2 as outlined below: >> >>> I do see using tcpdump at server1: >>>=20 >>> | 00:00:02.066251 xx:xx:xx:xx:xx > yy:yy:yy:yy:yy, ethertype IPv6 = (0x86dd), length 94: (flowlabel 0xa3c71, hlim 63, next-header TCP (6) = payload length: 40) b:b:b:b::1.64158 > a:a:a:a:1::1.53: Flags [S], >>> cksum 0x959b (incorrect -> 0x58f9), seq 3833155181, win 65535, = options [mss 1440,nop,wscale 6,sackOK,TS val 495939599 ecr 0], length 0 >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> 9.1's PF appears to be either corrupting or not updating the packet >> checksum when it touches IPv6 packets. I was not able to figure out = how >> or why in my brief perusal of the source, but it seems to affect more >> than just NAT66. >>=20 >> = http://freebsd.1045724.n5.nabble.com/PF-IPv6-NAT-and-The-Curse-of-The-Inva= lid-Checksum-td5769669.html >=20 > Afaik any kind of NAT on IPv6 is broken with pf(4) at the moment. >=20 I've been told to change my outgoing rule from ... | pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all modulate = state ... to ... | pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all ... and that did the trick! No more checksum and timeout errors. Now it = works as expected. Just for me to learn: What change in code from 9.0 to 9.1 made that = first rule break? I used that rule since 7.0, IIRC. And one last question: I do have "modulate state" for the corresponding = IPv4 rule as well. Should I modify that as well? Sorry for that dumb = question, but I don't know pf good enough to judge myself. Thanks for your help, and with kind regards, Michael=