PF vs. ping6
Christopher Cowart
ccowart at rescomp.berkeley.edu
Fri Feb 22 00:36:01 UTC 2008
On Fri, Feb 22, 2008 at 01:14:55AM +0100, Colin Brace wrote:
> Hi all,
>
> I am trying to set up a IPv6 tunnel following the instructions in the
> handbook <http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-ipv6.html>.
> aiccu starts ok:
>
> # sixxs-aiccu start
> Tunnel Information for T14342:
> POP Id : nlams05
> IPv6 Local : xxxxxxxxxxxxxxxxx2/64
> IPv6 Remote : xxxxxxxxxxxxxxxxx1/64
> Tunnel Type : 6in4-heartbeat
> Adminstate : enabled
> Userstate : enabled
>
> I can ping6 localhost, I can ping6 the tunnel begin point (local), but
> I can't ping6 the (remote) end point. Firing up tcpdump, I see that
> the firewall is blocking the ping packets.
>
> I have these (provisional) rules at the top of the filter section in PF:
>
> pass quick on fxp0 inet6 # ext if
I don't use pf, but I'm guessing from the man page that you may need to
try:
pass quick on fxp0 proto 41
You might be able to substitue 41 with the symbolic name in
/etc/protocols (ipv6).
Note that you're trying to match the "protocol" field of an IPv4 address
which, for the majority of internet traffic, is tcp, udp, or icmp; in
this case its ipv6, because the contents of your IPv4 packets are the
tunneled v6 packets.
I think 'pass quick on fxp0 inet6' is checking against the type of the
outer packet, which is actually an IPv4 packet.
Good luck,
--
Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 825 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080222/050179dc/attachment.pgp
More information about the freebsd-questions
mailing list