IPv6, PF problem

Max Laier max at love2party.net
Sat Dec 12 20:37:28 UTC 2009 

On Saturday 12 December 2009 02:25:08 Aaron Stellman wrote:
> Hello there,
> Here is the problem I've encountered on a dual stack amd64 FreeBSD 8.0p1
> machine.
> 
> What works:
> pass in on $ext_if proto tcp to           port 21
> 
> What doesn't work:
> pass in on $ext_if proto tcp to ($ext_if) port 21
> 
> here is what's logged when it doesn't work:
> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size
> 1515 bytes
> 00:00:00.000000 rule 0/0(match): block in on bge0:
> 2001:1938:235:beef:21b:21ff:fe37:d799.11220 >
> 2001:1938:235:dead:226:b9ff:fe75:6e5e.21: Flags [S], seq 413041093, win
> 65535, options [mss 1440,nop,nop,sackOK,nop,wscale 1,nop,nop,TS val
> 3435338387 ecr 0], length 0

What does "pfctl -vvsr" give you for the rule?  It should include the number 
of addresses assigned to the interface in the braces - e.g. "... (bge0:4) ..."

In addition, can you try to add separate rules for inet and inet6 - i.e.

pass in on $ext_if inet  proto tcp to ($ext_if) port 21
pass in on $ext_if inet6 proto tcp to ($ext_if) port 21

and check the number of addresses with pfctl -vvsr?
 
> ext_if="bge0"
> 
> epsilon# ifconfig -a
> bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
> 1500
>         options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
>         ether 00:26:b9:75:6e:5e
>         inet 10.10.11.5 netmask 0xffffffe0 broadcast 10.10.11.31
>         inet6 fe80::226:b9ff:fe75:6e5e%bge0 prefixlen 64 scopeid 0x1
>         inet 10.10.11.8 netmask 0xffffffe0 broadcast 10.10.11.31
>         inet6 2001:1938:235:dead:226:b9ff:fe75:6e5e prefixlen 64
> autoconf
>         media: Ethernet autoselect (1000baseT <full-duplex>)
>         status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>         options=3<RXCSUM,TXCSUM>
>         inet 127.0.0.1 netmask 0xff000000
>         inet6 ::1 prefixlen 128
>         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
> pflog0: flags=0<> metric 0 mtu 33152
> 
> 
> Notice, that it works as expected with IPv4; meaning that when I use "to
> ($ext_if)" and use ipv4 to connect, connection passes through, unlike
> IPv6.
> Also, OpenBSD pf works as expected with both IPv{4,6}
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
> 
> 
> !DSPAM:4b22f113621191134040011!
>

More information about the freebsd-pf mailing list