Date: Sat, 22 Nov 2014 06:25:50 -0800 From: Darren Pilgrim <list_freebsd@bluerosetech.com> To: Robin Geuze <robing@transip.nl>, Niklaas Baudet von Gersdorff <niklaas@kulturflatrate.net> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: Configuring PF with Jails only having IPv6 Message-ID: <54709CEE.2090800@bluerosetech.com> In-Reply-To: <AM3PR02MB03919B240CBCB1009066B47BAA740@AM3PR02MB0391.eurprd02.prod.outlook.com> References: <AM3PR02MB03919B240CBCB1009066B47BAA740@AM3PR02MB0391.eurprd02.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/22/2014 4:55 AM, Robin Geuze wrote: > IPv6 uses icmp6 to trqnsmit ndp packets. Ndp is basically the ipv6 > version of arp. Based on your packet dump it seems your server is > trying to figure out the mac address for the router for ipv6 but is > disallowed by your pf rules. "pass in quick icmp6 from any to any" > and "pass out quick icmp6 from any to any" should fix your problem. Or just "pass quick icmp6 from any to any". You should limit the types, though. See RFC 4890. In short, allow types 1, 2, 3, 4, 128, 129, 135, and 136 universally. If you use router advertisements, add types 133 and 134.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54709CEE.2090800>