misc/100879: PF on Freebsd 6.1-STABLE doesn't block IPv6

Daniel Hartmeier daniel at benzedrine.cx
Wed Jul 26 16:30:22 UTC 2006

The following reply was made to PR misc/100879; it has been noted by GNATS.

From: Daniel Hartmeier <daniel at benzedrine.cx>
To: Remko Catersels <sirdice at xs4all.nl>
Cc: freebsd-gnats-submit at freebsd.org
Subject: Re: misc/100879: PF on Freebsd 6.1-STABLE doesn't block IPv6
Date: Wed, 26 Jul 2006 18:27:30 +0200

 On Wed, Jul 26, 2006 at 11:33:25AM +0000, Remko Catersels wrote:
 > Compiled a kernel with INET6 support. Added device pf and pflog. Configured IPv6 using a tunnel broker supplied by my ISP. IPv6 fully functional. Internal machines all have a global IPv6 address. Added a block in on $ext_if inet6 from any to any. Reloaded pf.conf. I can still ping all the machines behind the firewall via IPv6.
 That blocks IPv6 packets on $ext_if. Maybe what is passing on $ext_if is
 not actually native IPv6 packets, but encapsulated IPv6-in-IPv4 packets
 ("inet proto ipv6" in pf syntax)? And you need to filter the native IPv6
 packets after decapsulation on the virtual tunnel interface, like gif(4)?
 When in doubt, tcpdump ;)

More information about the freebsd-bugs mailing list