pf dropping packets despite pass all rule
Max Laier
max at love2party.net
Thu Jul 31 16:26:54 UTC 2008
On Thursday 31 July 2008 17:35:06 Tilman Linneweh wrote:
> Hi list,
>
> My setup:
>
> LAN -> Router with PF <- gif tunnel with IPSEC -> Server
>
> The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works,
> but TCPv6 from LAN to Server does not work, unless i disable PF.
>
> Excerpt from pf.conf:
> pass in quick on gif0 all keep state
> pass out quick on gif0 all keep state
>
> pflog0 contains some strange packets:
> http://arved.priv.at/~arved/strangepackets.pcap
That dump is useless, please cap with "-s0".
> IPSEC_FILTERTUNNEL does not make a difference.
>
> I don't understand why pf is dropping something on gif0. And i can't decode
> what kind of packets these are, and why they are necessary for TCPv6.
>
> Any ideas?
I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you really
want to trust gif0 completely, you could simply add "skip on gif0" and pf will
not mess with it at all.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-pf
mailing list