Configuring PF with Jails only having IPv6
Niklaas Baudet von Gersdorff
niklaas at kulturflatrate.net
Sun Nov 23 13:29:59 UTC 2014
Niklaas Baudet von Gersdorff [2014-11-23 14:10 +0100] :
> After applying this I could connect to the jail without any problem. So,
> thank you very much. Nonetheless there was no outbound connection from
> the jail possible. Luckily, I just solved this. It was the following
> entry that caused problems:
>
> pass out on $ext_if proto tcp all modulate state
>
> Because it looks like that it's not possible to use modulate state with
> IPv6, as shortly stated here:
>
> https://forums.freebsd.org/threads/9-1-and-outgoing-tcp6-operation-timed-out.36595/#post-202506
Just to give you an update about this. My solution is now
pass out on $ext_if inet proto tcp all modulate state
pass out on $ext_if inet6 proto tcp all keep state
which does modulate state for IPv4 traffic and keep state for IPv6.
In case this might be helpful for someone in future.
--
Niklaas
Baudet von Gersdorff
niklaas at kulturflatrate.net
http://www.twitter.com/NBvGersdorff
http://www.kulturflatrate.net/niklaas
More information about the freebsd-pf
mailing list