Date: Tue, 13 Oct 2015 12:32:21 +0200 From: Kristof Provost <kp@FreeBSD.org> To: David Mehler <dave.mehler@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Rules sanity check Message-ID: <B32C77D5-AE6C-471F-8427-B581E80C6748@FreeBSD.org> In-Reply-To: <CAPORhP7GxqYGmzk1ZT7sAzMMze3CEwkWUCC2zDWRLNJZC=RH9Q@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
> On 13 Oct 2015, at 05:51, David Mehler <dave.mehler@gmail.com> wrote: > Some things I know definitely aren't working is the ipv6 allowing of > ssh and http, ipv6 ping doesn't work gives a udp error, ftp from the > machine the data connection doesn't come through, i'm assuming i'll > have that same problem when I set up a jailed ftp server as well. > You really, really want to allow ICMPv6. Without ICMPv6 critical things like path MTU (remember, there’s no router fragmentation in IPv6, you *need* path MTU discovery) and router advertisements. It’s still possible to filter out undesirable ICMPv6 types, but I’d start out just allowing everything. I’ve not looked at the rest of it in any depth, but the ICMPv6 thing probably explains all of the IPv6 issues you’ve had. Regards, Kristofhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B32C77D5-AE6C-471F-8427-B581E80C6748>