urpf-failed & ipv6
Marcin Wisnicki
mwisnicki+freebsd at gmail.com
Sun Jul 4 05:25:07 UTC 2010
On Sat, 03 Jul 2010 15:29:33 +0200, Reinhard Haller wrote:
> Hi,
>
> I recently discovered a strange behavior on my border router. In the
> following ruleset:
>
> block log all
> block in log quick from urpf-failed to any pass quick on $int_if inet6
> proto udp from any to any port ripng block drop on !$int_if inet6 proto
> udp from any to any port ripng
>
> all occurrences of
>
> fe80::<mac-address>%$int_if -> ff02::9
>
> were blocked by the urpf-failed rule.
>
> Any suggestuions why this happens?
Probably this change:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c#rev1.625
seems it's not yet merged to freebsd.
I'm using following as a temporary solution (adapted from rc.firewall):
block log all
anchor "ipv6-link-local" quick inet6 {
pass proto icmp6 from :: to ff02::/16
pass proto icmp6 from fe80::/10 to fe80::/10
pass proto icmp6 from fe80::/10 to ff02::/16
pass from fe80::/10 to ff02::/16
pass from (self:network) to ff02::/16
pass proto udp from fe80::/10 to (self) port dhcpv6-client
}
block in log quick from urpf-failed
More information about the freebsd-pf
mailing list