From owner-freebsd-pf@FreeBSD.ORG Tue Aug 1 14:29:27 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAC3C16A4DF for ; Tue, 1 Aug 2006 14:29:27 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6590E43D55 for ; Tue, 1 Aug 2006 14:29:27 +0000 (GMT) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id 54F5CB828; Tue, 1 Aug 2006 16:29:25 +0200 (CEST) Date: Tue, 1 Aug 2006 16:29:25 +0200 From: Frank Steinborn To: freebsd-pf@FreeBSD.org Mail-Followup-To: freebsd-pf@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20060801142925.54F5CB828@shodan.nognu.de> Cc: Subject: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Aug 2006 14:29:27 -0000 At first, here is the complete ruleset: http://www.nognu.de/~steinex/pf.conf.txt The Problem: As you can see, i'm having a stateful outgoing rule for IPv6: pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate state That works just fine. I can ping v6-hosts and surf the web via v6. But I want to open some daemons for the outside world, for example an nameserver: pass in on gif0 inet6 proto { tcp, udp } from any to 2001:1638:17ad::3 port 53 modulate state Let's try to connect to it know, from another box: $ telnet 2001:1638:17ad::3 53 Trying 2001:1638:17ad::3... Connected to 2001:1638:17ad::3. Escape character is '^]'. That works just fine! Yay! However, if i try the same on the same box running the named and the filter: $ telnet 2001:1638:17ad::3 53 Trying 2001:1638:17ad::3... That's it. It's not possible, and i'm really frustrated for days now. What is actually borked here? Let's have a look on the pflog0, what's dropping: 15:26:35.983709 rule 1/0(match): block in on gif0: 2001:1638:17ad::3.53 > 2001:1638:17ad::3.59761: tcp 40 [bad hdr length 4 - too short, < 20] Hmm. Bad hdr lenght? What's up here? If i change the rule pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate state to pass on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate state all works fine. But that's not what i want, of course. Can anyone give me a clue what's wrong here? Please, it's driving me crazy! :-( I found one thing about the "bad hdr lenght" thing on the mailinglist, but I'm not sure if it's related. And it's from 2005: http://lists.freebsd.org/pipermail/freebsd-current/2005-November/057922.html Thanks for *any* hint, Frank