misc/100879: PF on Freebsd 6.1-STABLE doesn't block IPv6
daniel at benzedrine.cx
Wed Jul 26 16:30:22 UTC 2006
The following reply was made to PR misc/100879; it has been noted by GNATS.
From: Daniel Hartmeier <daniel at benzedrine.cx>
To: Remko Catersels <sirdice at xs4all.nl>
Cc: freebsd-gnats-submit at freebsd.org
Subject: Re: misc/100879: PF on Freebsd 6.1-STABLE doesn't block IPv6
Date: Wed, 26 Jul 2006 18:27:30 +0200
On Wed, Jul 26, 2006 at 11:33:25AM +0000, Remko Catersels wrote:
> Compiled a kernel with INET6 support. Added device pf and pflog. Configured IPv6 using a tunnel broker supplied by my ISP. IPv6 fully functional. Internal machines all have a global IPv6 address. Added a block in on $ext_if inet6 from any to any. Reloaded pf.conf. I can still ping all the machines behind the firewall via IPv6.
That blocks IPv6 packets on $ext_if. Maybe what is passing on $ext_if is
not actually native IPv6 packets, but encapsulated IPv6-in-IPv4 packets
("inet proto ipv6" in pf syntax)? And you need to filter the native IPv6
packets after decapsulation on the virtual tunnel interface, like gif(4)?
When in doubt, tcpdump ;)
More information about the freebsd-bugs