pf NAT function with IPv6

Max Laier max at love2party.net
Wed Jan 5 03:35:34 GMT 2005 

On Wednesday 05 January 2005 04:23, Pyun YongHyeon wrote:
> On Thu, Dec 30, 2004 at 11:23:05PM +0900, Hideki Yamamoto wrote:
>  > Hi,
>  >
>  > I tried to use pf to change source address of IPv6 UDP packet, but it
>  > does not go well. As the output of 'pfctl' command seems no problem.
>  > I wonder if pf on FreeBSD does not support IPv6 now.
>
> AFAIK, No. pf is the only firewall that supports (almost) full
> IPv6 in BSDs.

True, though that does not mean that it is 100% bug-free ;)

>  > ---------- /etc/pf.conf ------------- start
>  > ext_if="bge2"
>  > int_if="bge0"
>  > internal_net="fec0:0:0:d::0/32"
>  > nat on bge2 inet6 from fec0:0:0:d::1 to any -> 2001:b90:ee00:ff0b::1:3
>  > ---------- /etc/pf.conf ------------- end
>  >
>  > tsrmldgw3# pfctl -s state
>  > No ALTQ support in kernel
>  > ALTQ related functions disabled
>  > self udp fec0:0:0:d::1[15001] -> 2001:b90:ee00:ff0b::1:3[52925] ->
>  > 2001:b90:ee00:51b:208:4ff:fe28:a1d2[8001] SINGLE:NO_TRAFFIC

This state entry indicates that the outgoing packet went out okay. Can you 
verify/falsify with tcpdump if it really did? You might also want to check at 
the remote to see if the packet makes it there. If yes, check for the reply 
on your gateway.

If one of the packets caries IPv6 option headers it might get dropped due to a 
recently discovered bug:
This is fixed in pf.c HEAD >= 1.24 and RELENG_5 >= 1.18.2.5

> Works here. Tested on FreeBSD-CURRENT sparc64
> mars# pfctl -ss
> self tcp fec0:0:0:d::1[49152] -> 2001:b90:ee00:ff0b::1[51223] ->
> 2001:b90:ee00:ff0b::10[22]       ESTABLISHED:ESTABLISHED self tcp
> fec0:0:0:d::1[22] <- 2001:b90:ee00:ff0b::1[22] <-
> 2001:b90:ee00:ff0b::10[49154]       ESTABLISHED:ESTABLISHED
>
> mars# pfctl -sr
> pass in on hme0 inet6 proto tcp all flags S/SA keep state
> pass out on hme0 inet6 proto tcp all flags S/SA keep state
> mars# pfctl -sn
> nat on hme0 inet6 proto tcp from ! (hme0) to any -> 2001:b90:ee00:ff0b::1
> rdr on hme0 inet6 proto tcp from any to any port = ssh -> fec0:0:0:d::1
> port 22
>
> Due to lack of hardware and IPv6 setup I tested ssh connection. But
> there is no reason UDP don't work.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050105/7a73aa2e/attachment.bin

More information about the freebsd-pf mailing list