From owner-freebsd-pf@FreeBSD.ORG Sat Nov 22 14:26:02 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2FA81A15 for ; Sat, 22 Nov 2014 14:26:02 +0000 (UTC) Received: from mario.brtsvcs.net (mario.brtsvcs.net [199.48.128.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0386081E for ; Sat, 22 Nov 2014 14:26:01 +0000 (UTC) Received: from chombo.houseloki.net (c-71-59-211-166.hsd1.or.comcast.net [71.59.211.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mario.brtsvcs.net (Postfix) with ESMTPSA id 9F63D2C160F; Sat, 22 Nov 2014 14:25:53 +0000 (UTC) Received: from [IPv6:2601:7:2580:674:baca:3aff:fe83:bd29] (ivy.libssl.so [IPv6:2601:7:2580:674:baca:3aff:fe83:bd29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by chombo.houseloki.net (Postfix) with ESMTPSA id 4DF1B1076; Sat, 22 Nov 2014 06:25:51 -0800 (PST) Message-ID: <54709CEE.2090800@bluerosetech.com> Date: Sat, 22 Nov 2014 06:25:50 -0800 From: Darren Pilgrim Reply-To: "freebsd-pf@freebsd.org" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Robin Geuze , Niklaas Baudet von Gersdorff Subject: Re: Configuring PF with Jails only having IPv6 References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2014 14:26:02 -0000 On 11/22/2014 4:55 AM, Robin Geuze wrote: > IPv6 uses icmp6 to trqnsmit ndp packets. Ndp is basically the ipv6 > version of arp. Based on your packet dump it seems your server is > trying to figure out the mac address for the router for ipv6 but is > disallowed by your pf rules. "pass in quick icmp6 from any to any" > and "pass out quick icmp6 from any to any" should fix your problem. Or just "pass quick icmp6 from any to any". You should limit the types, though. See RFC 4890. In short, allow types 1, 2, 3, 4, 128, 129, 135, and 136 universally. If you use router advertisements, add types 133 and 134.