From owner-freebsd-pf@FreeBSD.ORG Sun Nov 23 13:29:59 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5F1302C0 for ; Sun, 23 Nov 2014 13:29:59 +0000 (UTC) Received: from mail.kulturflatrate.net (mail.kulturflatrate.net [46.163.119.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 16EB9679 for ; Sun, 23 Nov 2014 13:29:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.kulturflatrate.net (Postfix) with ESMTP id 0142AF5AC0E2; Sun, 23 Nov 2014 14:29:57 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at kulturflatrate.net X-Spam-Flag: NO X-Spam-Score: -2.9 X-Spam-Level: X-Spam-Status: No, score=-2.9 required=6.31 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9] autolearn=ham Received: from mail.kulturflatrate.net ([127.0.0.1]) by localhost (mail.kulturflatrate.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Avhtw66sPDJb; Sun, 23 Nov 2014 14:29:56 +0100 (CET) Received: from len-x61s.klaas (15.210.broadband18.iol.cz [109.81.210.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kulturflatrate.net (Postfix) with ESMTPSA id EE512F5AC0DA; Sun, 23 Nov 2014 14:29:55 +0100 (CET) Received: by len-x61s.klaas (Postfix, from userid 1000) id 073FEE059F; Sun, 23 Nov 2014 14:31:01 +0100 (CET) Date: Sun, 23 Nov 2014 14:31:01 +0100 From: Niklaas Baudet von Gersdorff To: Robin Geuze , "freebsd-pf@freebsd.org" Subject: Re: Configuring PF with Jails only having IPv6 Message-ID: <20141123133100.GE2833@len-x61s.klaas> References: <54709CEE.2090800@bluerosetech.com> <20141123131024.GC2833@len-x61s.klaas> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20141123131024.GC2833@len-x61s.klaas> X-PGP-Key: http://www.kulturflatrate.net/niklaas/niklaas-baudet-von-gersdorff.asc User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2014 13:29:59 -0000 Niklaas Baudet von Gersdorff [2014-11-23 14:10 +0100] : > After applying this I could connect to the jail without any problem. So, > thank you very much. Nonetheless there was no outbound connection from > the jail possible. Luckily, I just solved this. It was the following > entry that caused problems: > > pass out on $ext_if proto tcp all modulate state > > Because it looks like that it's not possible to use modulate state with > IPv6, as shortly stated here: > > https://forums.freebsd.org/threads/9-1-and-outgoing-tcp6-operation-timed-out.36595/#post-202506 Just to give you an update about this. My solution is now pass out on $ext_if inet proto tcp all modulate state pass out on $ext_if inet6 proto tcp all keep state which does modulate state for IPv4 traffic and keep state for IPv6. In case this might be helpful for someone in future. -- Niklaas Baudet von Gersdorff niklaas@kulturflatrate.net http://www.twitter.com/NBvGersdorff http://www.kulturflatrate.net/niklaas