From owner-freebsd-bugs@FreeBSD.ORG  Wed Jul 26 16:30:22 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D2C4E16A4DD
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 26 Jul 2006 16:30:22 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9700943D4C
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 26 Jul 2006 16:30:22 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k6QGULgs016142
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 26 Jul 2006 16:30:21 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k6QGULWF016141;
	Wed, 26 Jul 2006 16:30:21 GMT (envelope-from gnats)
Date: Wed, 26 Jul 2006 16:30:21 GMT
Message-Id: <200607261630.k6QGULWF016141@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Daniel Hartmeier <daniel@benzedrine.cx>
Cc: 
Subject: Re: misc/100879: PF on Freebsd 6.1-STABLE doesn't block IPv6
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Daniel Hartmeier <daniel@benzedrine.cx>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2006 16:30:22 -0000

The following reply was made to PR misc/100879; it has been noted by GNATS.

From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Remko Catersels <sirdice@xs4all.nl>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: misc/100879: PF on Freebsd 6.1-STABLE doesn't block IPv6
Date: Wed, 26 Jul 2006 18:27:30 +0200

 On Wed, Jul 26, 2006 at 11:33:25AM +0000, Remko Catersels wrote:
 
 > Compiled a kernel with INET6 support. Added device pf and pflog. Configured IPv6 using a tunnel broker supplied by my ISP. IPv6 fully functional. Internal machines all have a global IPv6 address. Added a block in on $ext_if inet6 from any to any. Reloaded pf.conf. I can still ping all the machines behind the firewall via IPv6.
 
 That blocks IPv6 packets on $ext_if. Maybe what is passing on $ext_if is
 not actually native IPv6 packets, but encapsulated IPv6-in-IPv4 packets
 ("inet proto ipv6" in pf syntax)? And you need to filter the native IPv6
 packets after decapsulation on the virtual tunnel interface, like gif(4)?
 
 When in doubt, tcpdump ;)
 
 Daniel