Date: Sun, 4 Jul 2010 05:24:10 +0000 (UTC) From: Marcin Wisnicki <mwisnicki+freebsd@gmail.com> To: freebsd-pf@freebsd.org Subject: Re: urpf-failed & ipv6 Message-ID: <i0p5tq$val$1@dough.gmane.org> References: <4C2F3B3D.70306@interactive-net.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 03 Jul 2010 15:29:33 +0200, Reinhard Haller wrote: > Hi, > > I recently discovered a strange behavior on my border router. In the > following ruleset: > > block log all > block in log quick from urpf-failed to any pass quick on $int_if inet6 > proto udp from any to any port ripng block drop on !$int_if inet6 proto > udp from any to any port ripng > > all occurrences of > > fe80::<mac-address>%$int_if -> ff02::9 > > were blocked by the urpf-failed rule. > > Any suggestuions why this happens? Probably this change: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c#rev1.625 seems it's not yet merged to freebsd. I'm using following as a temporary solution (adapted from rc.firewall): block log all anchor "ipv6-link-local" quick inet6 { pass proto icmp6 from :: to ff02::/16 pass proto icmp6 from fe80::/10 to fe80::/10 pass proto icmp6 from fe80::/10 to ff02::/16 pass from fe80::/10 to ff02::/16 pass from (self:network) to ff02::/16 pass proto udp from fe80::/10 to (self) port dhcpv6-client } block in log quick from urpf-failed
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?i0p5tq$val$1>