Configuring PF with Jails only having IPv6
Darren Pilgrim
list_freebsd at bluerosetech.com
Sat Nov 22 14:26:02 UTC 2014
On 11/22/2014 4:55 AM, Robin Geuze wrote:
> IPv6 uses icmp6 to trqnsmit ndp packets. Ndp is basically the ipv6
> version of arp. Based on your packet dump it seems your server is
> trying to figure out the mac address for the router for ipv6 but is
> disallowed by your pf rules. "pass in quick icmp6 from any to any"
> and "pass out quick icmp6 from any to any" should fix your problem.
Or just "pass quick icmp6 from any to any".
You should limit the types, though. See RFC 4890. In short, allow
types 1, 2, 3, 4, 128, 129, 135, and 136 universally. If you use router
advertisements, add types 133 and 134.
More information about the freebsd-pf
mailing list