From owner-freebsd-pf@FreeBSD.ORG  Wed Jan  5 03:35:33 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 91AFE16A515
	for <freebsd-pf@freebsd.org>; Wed,  5 Jan 2005 03:35:06 +0000 (GMT)
Received: from moutng.kundenserver.de (moutng.kundenserver.de
	[212.227.126.177])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 257DD43D1F
	for <freebsd-pf@freebsd.org>; Wed,  5 Jan 2005 03:35:06 +0000 (GMT)
	(envelope-from max@love2party.net)
Received: from [212.227.126.205] (helo=mrelayng.kundenserver.de)
	by moutng.kundenserver.de with esmtp (Exim 3.35 #1)
	id 1Cm1wt-0000kP-00; Wed, 05 Jan 2005 04:35:03 +0100
Received: from [217.83.2.208] (helo=donor.laier.local)
	by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128)
	(Exim 3.35 #1)
	id 1Cm1ws-0003IW-00; Wed, 05 Jan 2005 04:35:02 +0100
From: Max Laier <max@love2party.net>
To: freebsd-pf@freebsd.org, yongari@kt-is.co.kr
Date: Wed, 5 Jan 2005 04:34:51 +0100
User-Agent: KMail/1.7.2
References: <20041230.232305.71087886.yamamoto436@oki.com>
	<20050105032351.GA8022@kt-is.co.kr>
In-Reply-To: <20050105032351.GA8022@kt-is.co.kr>
MIME-Version: 1.0
Content-Type: multipart/signed;
  boundary="nextPart1193678.LWyBo8uWZU";
  protocol="application/pgp-signature";
  micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200501050435.00711.max@love2party.net>
X-Provags-ID: kundenserver.de abuse@kundenserver.de
	auth:61c499deaeeba3ba5be80f48ecc83056
Subject: Re: pf NAT function with IPv6
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2005 03:35:34 -0000

--nextPart1193678.LWyBo8uWZU
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Wednesday 05 January 2005 04:23, Pyun YongHyeon wrote:
> On Thu, Dec 30, 2004 at 11:23:05PM +0900, Hideki Yamamoto wrote:
>  > Hi,
>  >
>  > I tried to use pf to change source address of IPv6 UDP packet, but it
>  > does not go well. As the output of 'pfctl' command seems no problem.
>  > I wonder if pf on FreeBSD does not support IPv6 now.
>
> AFAIK, No. pf is the only firewall that supports (almost) full
> IPv6 in BSDs.

True, though that does not mean that it is 100% bug-free ;)

>  > ---------- /etc/pf.conf ------------- start
>  > ext_if=3D"bge2"
>  > int_if=3D"bge0"
>  > internal_net=3D"fec0:0:0:d::0/32"
>  > nat on bge2 inet6 from fec0:0:0:d::1 to any -> 2001:b90:ee00:ff0b::1:3
>  > ---------- /etc/pf.conf ------------- end
>  >
>  > tsrmldgw3# pfctl -s state
>  > No ALTQ support in kernel
>  > ALTQ related functions disabled
>  > self udp fec0:0:0:d::1[15001] -> 2001:b90:ee00:ff0b::1:3[52925] ->
>  > 2001:b90:ee00:51b:208:4ff:fe28:a1d2[8001] SINGLE:NO_TRAFFIC

This state entry indicates that the outgoing packet went out okay. Can you=
=20
verify/falsify with tcpdump if it really did? You might also want to check =
at=20
the remote to see if the packet makes it there. If yes, check for the reply=
=20
on your gateway.

If one of the packets caries IPv6 option headers it might get dropped due t=
o a=20
recently discovered bug:
This is fixed in pf.c HEAD >=3D 1.24 and RELENG_5 >=3D 1.18.2.5

> Works here. Tested on FreeBSD-CURRENT sparc64
> mars# pfctl -ss
> self tcp fec0:0:0:d::1[49152] -> 2001:b90:ee00:ff0b::1[51223] ->
> 2001:b90:ee00:ff0b::10[22]       ESTABLISHED:ESTABLISHED self tcp
> fec0:0:0:d::1[22] <- 2001:b90:ee00:ff0b::1[22] <-
> 2001:b90:ee00:ff0b::10[49154]       ESTABLISHED:ESTABLISHED
>
> mars# pfctl -sr
> pass in on hme0 inet6 proto tcp all flags S/SA keep state
> pass out on hme0 inet6 proto tcp all flags S/SA keep state
> mars# pfctl -sn
> nat on hme0 inet6 proto tcp from ! (hme0) to any -> 2001:b90:ee00:ff0b::1
> rdr on hme0 inet6 proto tcp from any to any port =3D ssh -> fec0:0:0:d::1
> port 22
>
> Due to lack of hardware and IPv6 setup I tested ssh connection. But
> there is no reason UDP don't work.

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart1193678.LWyBo8uWZU
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQBB22BkXyyEoT62BG0RAma0AJ0e11Nz4lpkQBNqnFjT8dyw9ykYWwCfXPHt
0dWuofaNl4fXySoonbgjiEM=
=A5lc
-----END PGP SIGNATURE-----

--nextPart1193678.LWyBo8uWZU--