I'm getting sick - Problems filtering IPv6.
Frank Steinborn
steinex at nognu.de
Tue Aug 1 14:29:27 UTC 2006
At first, here is the complete ruleset:
http://www.nognu.de/~steinex/pf.conf.txt
The Problem:
As you can see, i'm having a stateful outgoing rule for IPv6:
pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate
state
That works just fine. I can ping v6-hosts and surf the web via v6. But
I want to open some daemons for the outside world, for example an
nameserver:
pass in on gif0 inet6 proto { tcp, udp } from any to 2001:1638:17ad::3
port 53 modulate state
Let's try to connect to it know, from another box:
$ telnet 2001:1638:17ad::3 53
Trying 2001:1638:17ad::3...
Connected to 2001:1638:17ad::3.
Escape character is '^]'.
That works just fine! Yay! However, if i try the same on the same box
running the named and the filter:
$ telnet 2001:1638:17ad::3 53
Trying 2001:1638:17ad::3...
That's it. It's not possible, and i'm really frustrated for days now.
What is actually borked here? Let's have a look on the pflog0, what's
dropping:
15:26:35.983709 rule 1/0(match): block in on gif0:
2001:1638:17ad::3.53 > 2001:1638:17ad::3.59761: tcp 40 [bad hdr
length 4 - too short, < 20]
Hmm. Bad hdr lenght? What's up here? If i change the rule
pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate
state
to
pass on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate state
all works fine. But that's not what i want, of course. Can anyone give
me a clue what's wrong here? Please, it's driving me crazy! :-(
I found one thing about the "bad hdr lenght" thing on the mailinglist,
but I'm not sure if it's related. And it's from 2005:
http://lists.freebsd.org/pipermail/freebsd-current/2005-November/057922.html
Thanks for *any* hint,
Frank
More information about the freebsd-pf
mailing list