Configuring PF with Jails only having IPv6
Niklaas Baudet von Gersdorff
niklaas at kulturflatrate.net
Sun Nov 23 13:09:30 UTC 2014
Robin Geuze [2014-11-22 12:55 +0000] :
> IPv6 uses icmp6 to trqnsmit ndp packets. Ndp is basically the ipv6
> version of arp. Based on your packet dump it seems your server is
> trying to figure out the mac address for the router for ipv6 but is
> disallowed by your pf rules. "pass in quick icmp6 from any to any" and
> "pass out quick icmp6 from any to any" should fix your problem.
Thank you for the explanation.
Darren Pilgrim [2014-11-22 06:25 -0800] :
> Or just "pass quick icmp6 from any to any".
Yes what I finally use is
pass quick proto icmp6 all
which should be the same.
> You should limit the types, though. See RFC 4890. In short, allow
> types 1, 2, 3, 4, 128, 129, 135, and 136 universally. If you use
> router advertisements, add types 133 and 134.
OK, thank you very much. I'll update above line to only allow passing
these.
After applying this I could connect to the jail without any problem. So,
thank you very much. Nonetheless there was no outbound connection from
the jail possible. Luckily, I just solved this. It was the following
entry that caused problems:
pass out on $ext_if proto tcp all modulate state
Because it looks like that it's not possible to use modulate state with
IPv6, as shortly stated here:
https://forums.freebsd.org/threads/9-1-and-outgoing-tcp6-operation-timed-out.36595/#post-202506
Thanks again and best,
--
Niklaas
Baudet von Gersdorff
niklaas at kulturflatrate.net
http://www.twitter.com/NBvGersdorff
http://www.kulturflatrate.net/niklaas
More information about the freebsd-pf
mailing list