Need a PF consultant

Kristof Provost kp at FreeBSD.org
Sun Jun 21 21:28:24 UTC 2020 

On 21 Jun 2020, at 23:11, David Mehler wrote:
> Anyone a pf expert wanting to make some extra money?
>
> I'm in need of consulting, I'm having an issue with my PF
> configuration, I've got a much longer message with output and netstat
> and all that, if anyone is interested email me privately with rates
> and I'll send the details, but in brief I've got FreeBSD 12.1 going,
> my provider gives me an IPv6 address, on boot if I ping6 out I get a
> UDP connect no route to host message, disable and reenable pf and I
> can ping6 out as root, and as a user, for about five minutes, then I
> start getting packets are able to be sent out, but nothing comes back.
> About five minutes later again as root and as a user I'm getting the
> UDP connect no route to host message.
>
That sounds a lot like you’re dropping router and/or neighbour 
advertisements.

Make sure you’ve got at least the following pass rules:

	# IPv6 link-local traffic
	pass quick inet6 proto icmp6 from :: to ff02::/16
	pass quick inet6 proto icmp6 from fe80::/10 to fe80::/10
	pass quick inet6 proto icmp6 from fe80::/10 to ff02::/16

	# IPv6 Traffic That Must Not Be Dropped (RFC4890 4.3.1)
	pass quick inet6 proto icmp6 from any to any icmp6-type { unreach, 
toobig }
	pass quick inet6 proto icmp6 from any to any icmp6-type timex code 0
	pass quick inet6 proto icmp6 from any to any icmp6-type { paramprob 
code 1, paramprob code 2 }
	pass quick inet6 proto icmp6 from any to any icmp6-type { echoreq, 
echorep }

	# IPv6 Traffic That Normally Should Not Be Dropped (RFC4890 4.3.2)
	pass quick inet6 proto icmp6 from any to any icmp6-type timex code 1
	pass quick inet6 proto icmp6 from any to any icmp6-type paramprob code 
0

	# IPv6 local configuration (ND, DAD, RS, etc...)
	pass quick inet6 proto icmp6 from any to any icmp6-type { routersol, 
routeradv }
	pass quick inet6 proto icmp6 from any to any icmp6-type { neighbrsol, 
neighbradv }
	pass quick inet6 proto icmp6 from any to any icmp6-type { 141, 142 }
	pass quick inet6 proto icmp6 from any to any icmp6-type { listqry, 
listenrep, listendone, 143 }
	pass quick inet6 proto icmp6 from any to any icmp6-type { 148, 149 }
	pass quick inet6 proto icmp6 from any to any icmp6-type { 151, 152, 153 
}

At a guess the routersol/routeradv and neighbrsol/neigbradv are the ones 
you’re running into, but you likely want to allow all of these.

Best regards,
Kristof

More information about the freebsd-pf mailing list