Date: Tue, 1 Aug 2006 16:29:25 +0200 From: Frank Steinborn <steinex@nognu.de> To: freebsd-pf@FreeBSD.org Subject: I'm getting sick - Problems filtering IPv6. Message-ID: <20060801142925.54F5CB828@shodan.nognu.de>
next in thread | raw e-mail | index | archive | help
At first, here is the complete ruleset: http://www.nognu.de/~steinex/pf.conf.txt The Problem: As you can see, i'm having a stateful outgoing rule for IPv6: pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate state That works just fine. I can ping v6-hosts and surf the web via v6. But I want to open some daemons for the outside world, for example an nameserver: pass in on gif0 inet6 proto { tcp, udp } from any to 2001:1638:17ad::3 port 53 modulate state Let's try to connect to it know, from another box: $ telnet 2001:1638:17ad::3 53 Trying 2001:1638:17ad::3... Connected to 2001:1638:17ad::3. Escape character is '^]'. That works just fine! Yay! However, if i try the same on the same box running the named and the filter: $ telnet 2001:1638:17ad::3 53 Trying 2001:1638:17ad::3... That's it. It's not possible, and i'm really frustrated for days now. What is actually borked here? Let's have a look on the pflog0, what's dropping: 15:26:35.983709 rule 1/0(match): block in on gif0: 2001:1638:17ad::3.53 > 2001:1638:17ad::3.59761: tcp 40 [bad hdr length 4 - too short, < 20] Hmm. Bad hdr lenght? What's up here? If i change the rule pass out on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate state to pass on gif0 inet6 proto { tcp, udp, icmp6, ipv6 } all modulate state all works fine. But that's not what i want, of course. Can anyone give me a clue what's wrong here? Please, it's driving me crazy! :-( I found one thing about the "bad hdr lenght" thing on the mailinglist, but I'm not sure if it's related. And it's from 2005: http://lists.freebsd.org/pipermail/freebsd-current/2005-November/057922.html Thanks for *any* hint, Frank
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060801142925.54F5CB828>