[pf4freebsd] Re: Statefull IPv6

Pyun YongHyeon yongari at kt-is.co.kr
Wed Sep 15 20:57:39 PDT 2004 

On Tue, Dec 02, 2003 at 05:20:34PM +0000, Mike Saywell wrote:
...
[snip]
...

 > 
 > However IPv6 pings don't....  In the log I get:
 > 
 > 63. 384244 rule 12/0(match): pass in on dc1: 2001:630:d0:901::2 > 2001:630:d0:902::2: icmp6: echo request
 > 000531 rule 0/0(match): block in on dc2: 2001:630:d0:902::2 > 2001:630:d0:901::2: icmp6: echo reply
 > 
Hmm... It was blocked.

 > It's the same for all other traffic too, e.g. ssh:
 > 000000 rule 12/0(match): pass in on dc1: 2001:630:d0:901::2.42559 > 2001:630:d0:902::2.22: [|tcp]
 > 000617 rule 0/0(match): block in on dc2: 2001:630:d0:902::2.22 > 2001:630:d0:901::2.42559: [|tcp]
 > 
 > Also if I dump the state whilst pinging from Zim to Centaur then with
 > IPv4 I see:
 > 
 > -su-2.05b# pfctl -ss
 > icmp 192.168.1.2:22051 -> 192.168.2.2:22051       0:0
 > 
 > but when using IPv6 it's blank. :(
 > 
Yes, it did not passed any packets. So it should have no entry as expected.

 > So it seems like "keep state" is only working with IPv4??
 > 
No. It should work for both IPv4 and IPv6.

 > The full expanded ruleset is:
 > 
 > block drop in log all
 > block drop out log all
 > pass quick on dc0 all
 > pass quick on lo0 all
 > pass log quick inet6 from any to fe00::/8
 > pass log quick inet6 from any to ff00::/8
 > pass log quick on dc1 inet6 from any to fe80::280:c8ff:fec9:9cbe
 > pass log quick inet from any to 192.168.1.1
 > pass log quick inet6 from any to 2001:630:d0:901::1
 > pass log quick inet from any to 192.168.2.1
 > pass log quick on dc2 inet6 from any to fe80::280:c8ff:fec9:9cbf
 > pass log quick inet6 from any to 2001:630:d0:902::1
 > pass in log on dc1 all
 > pass out log on dc1 all
 > pass out log on dc2 all keep state
 > 
 > Does anybody have any ideas?  The setup above should be fairly easy
 > to re-produce...
 > 
This is reproducable on my 5.1R machine. However, it do not happen
on 5.2-BETA. If you want to get quick fix, just upgrade to 5.2-BETA.
At present, I don't have any clue why pf blocks the packet on 5.1R.
I'll take look.

 > I'll try and get an OpenBSD machine running so I can see if it's a
 > general pf problem or a FreeBSD specific one...
 > 
It seems that it is FreeBSD only problem.

 > Mike
 > 

Thanks for your report.

Regards,
Pyun YongHyeon
-- 
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>

More information about the freebsd-pf mailing list