Date: Tue, 13 Oct 2015 12:32:21 +0200 From: Kristof Provost <kp@FreeBSD.org> To: David Mehler <dave.mehler@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Rules sanity check Message-ID: <B32C77D5-AE6C-471F-8427-B581E80C6748@FreeBSD.org> In-Reply-To: <CAPORhP7GxqYGmzk1ZT7sAzMMze3CEwkWUCC2zDWRLNJZC=RH9Q@mail.gmail.com> References: <CAPORhP7GxqYGmzk1ZT7sAzMMze3CEwkWUCC2zDWRLNJZC=RH9Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 13 Oct 2015, at 05:51, David Mehler <dave.mehler@gmail.com> wrote: > Some things I know definitely aren't working is the ipv6 allowing of > ssh and http, ipv6 ping doesn't work gives a udp error, ftp from the > machine the data connection doesn't come through, i'm assuming i'll > have that same problem when I set up a jailed ftp server as well. >=20 You really, really want to allow ICMPv6. Without ICMPv6 critical things like path MTU (remember, there=E2=80=99s no router fragmentation in = IPv6, you *need* path MTU discovery) and router advertisements. It=E2=80=99s still possible to filter out undesirable ICMPv6 types, but = I=E2=80=99d start out just allowing everything. I=E2=80=99ve not looked at the rest of it in any depth, but the ICMPv6 = thing probably explains all of the IPv6 issues you=E2=80=99ve had. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B32C77D5-AE6C-471F-8427-B581E80C6748>