From owner-freebsd-questions@FreeBSD.ORG Sat Sep 23 22:36:15 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4DD716A417 for ; Sat, 23 Sep 2006 22:36:15 +0000 (UTC) (envelope-from peter.schuller@infidyne.com) Received: from hyperion.scode.org (hyperion.scode.org [85.17.42.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50EE143D49 for ; Sat, 23 Sep 2006 22:36:15 +0000 (GMT) (envelope-from peter.schuller@infidyne.com) Received: from localhost (www.scode.org [85.17.42.115]) by hyperion.scode.org (Postfix) with ESMTP id 79EE523947E for ; Sun, 24 Sep 2006 00:36:13 +0200 (CEST) From: Peter Schuller To: freebsd-questions@freebsd.org Date: Sun, 24 Sep 2006 00:36:11 +0200 User-Agent: KMail/1.9.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200609240036.12322.peter.schuller@infidyne.com> Subject: pf + ipv6 + keep state - any known issues? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Sep 2006 22:36:15 -0000 Hello, I am using pf on a 6.1 machine. I have a tunneling interface (gif0) for my IPv6 feed. The problem I am having is connecting to myself in spite of firewalling. I am allowing traffic on port 22 to my public ipv6 address. I am also allowing all outgoing traffic on the tunneling interface, with 'keep state'. ping6:ing myself works, but connecting to port 22 does not. The intial SYN gets through and is responded to by an ACK, but that ACK is seemingly dropped. This inspite of the fact that 'pfctl -s state' shows a tracked connection for the relevant port pair. I can work around it by allowing all packets from my own IP on the tunneling interface, but as far as I know this should not be required. That is, connection tracking should be working even for local connections on a particular interface - correct? Note that connecting to port 22 works perfectly from outside IP:s (I had someone external verify this) without any special casing of the rules. That is, I only have the usual rules for allowing the incoming packets to port 22, and the rule allowing outgoing packets with 'keep state'. The fact that this allows successful establishment to port 22 by an external party suggests to me that I have not made some trivial misstake in the rule - yet connections to myself do not work. My question is whether there are any known issues that this sounds like - or of course if there is some reason why this is not supposed to work by design. Thank you, -- / Peter Schuller, InfiDyne Technologies HB PGP userID: 0xE9758B7D or 'Peter Schuller ' Key retrieval: Send an E-Mail to getpgpkey@scode.org E-Mail: peter.schuller@infidyne.com Web: http://www.scode.org