From owner-freebsd-pf@freebsd.org  Tue Oct 13 16:59:50 2015
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 93A59A12B5C
 for <freebsd-pf@mailman.ysv.freebsd.org>; Tue, 13 Oct 2015 16:59:50 +0000 (UTC)
 (envelope-from dave.mehler@gmail.com)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com
 [IPv6:2a00:1450:400c:c05::230])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 2679DEAC;
 Tue, 13 Oct 2015 16:59:50 +0000 (UTC)
 (envelope-from dave.mehler@gmail.com)
Received: by wicgb1 with SMTP id gb1so97166507wic.1;
 Tue, 13 Oct 2015 09:59:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type:content-transfer-encoding;
 bh=hgch8FLtn1MWhIC91/ocH18NdG5ho4jzkI5O/ITXs1Q=;
 b=YoxDCK12yxYlWBo7Jiq+Hf3l5WRWduSTGPToIAX+vkXmZDCB2J94+kPwkjrL6cAX5m
 xPd1Y94RcvweQADiSDrCMaVDY9xIUbVFdGVEe8xWZBREG0csyKzTY7R/29Iyu1REdaco
 36VhWwxgYRpNc6LpXY4KXR1HNnMubvAFVUDs83nh10tm/jFdoEbyigJafFDg6zO/KZsk
 U8aSI4lixMjHPRSisz/CZG5/J1RuU+57om1YWADXoF9X9auQ7L/g6Ou0k8XNRGtilz71
 5NiowgJEvYo6WwrN/s+t615DRT0Wjwy5nAUR3MT+5Fe72GqeDchuLDPVTvALGMS3Wk3A
 9AHg==
MIME-Version: 1.0
X-Received: by 10.180.102.230 with SMTP id fr6mr20814925wib.66.1444755588232; 
 Tue, 13 Oct 2015 09:59:48 -0700 (PDT)
Received: by 10.194.162.100 with HTTP; Tue, 13 Oct 2015 09:59:48 -0700 (PDT)
In-Reply-To: <B32C77D5-AE6C-471F-8427-B581E80C6748@FreeBSD.org>
References: <CAPORhP7GxqYGmzk1ZT7sAzMMze3CEwkWUCC2zDWRLNJZC=RH9Q@mail.gmail.com>
 <B32C77D5-AE6C-471F-8427-B581E80C6748@FreeBSD.org>
Date: Tue, 13 Oct 2015 12:59:48 -0400
Message-ID: <CAPORhP6kQgeutnUnRwbRY==H34NsiBEecOzOvckqz-_c-gd=wA@mail.gmail.com>
Subject: Re: Rules sanity check
From: David Mehler <dave.mehler@gmail.com>
To: Kristof Provost <kp@freebsd.org>
Cc: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2015 16:59:50 -0000

Hello,

Thanks. How do I get icmpv6 going? That is certainly a problem I'm having.

Thanks.
Dave.


On 10/13/15, Kristof Provost <kp@freebsd.org> wrote:
>
>> On 13 Oct 2015, at 05:51, David Mehler <dave.mehler@gmail.com> wrote:
>> Some things I know definitely aren't working is the ipv6 allowing of
>> ssh and http, ipv6 ping doesn't work gives a udp error, ftp from the
>> machine the data connection doesn't come through, i'm assuming i'll
>> have that same problem when I set up a jailed ftp server as well.
>>
> You really, really want to allow ICMPv6. Without ICMPv6 critical things
> like path MTU (remember, there=E2=80=99s no router fragmentation in IPv6,=
 you
> *need* path MTU discovery) and router advertisements.
>
> It=E2=80=99s still possible to filter out undesirable ICMPv6 types, but I=
=E2=80=99d start
> out just allowing everything.
>
> I=E2=80=99ve not looked at the rest of it in any depth, but the ICMPv6 th=
ing
> probably
> explains all of the IPv6 issues you=E2=80=99ve had.
>
> Regards,
> Kristof
>
>