Date: Wed, 5 Jan 2005 04:34:51 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org, yongari@kt-is.co.kr Subject: Re: pf NAT function with IPv6 Message-ID: <200501050435.00711.max@love2party.net> In-Reply-To: <20050105032351.GA8022@kt-is.co.kr> References: <20041230.232305.71087886.yamamoto436@oki.com> <20050105032351.GA8022@kt-is.co.kr>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1193678.LWyBo8uWZU Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 05 January 2005 04:23, Pyun YongHyeon wrote: > On Thu, Dec 30, 2004 at 11:23:05PM +0900, Hideki Yamamoto wrote: > > Hi, > > > > I tried to use pf to change source address of IPv6 UDP packet, but it > > does not go well. As the output of 'pfctl' command seems no problem. > > I wonder if pf on FreeBSD does not support IPv6 now. > > AFAIK, No. pf is the only firewall that supports (almost) full > IPv6 in BSDs. True, though that does not mean that it is 100% bug-free ;) > > ---------- /etc/pf.conf ------------- start > > ext_if=3D"bge2" > > int_if=3D"bge0" > > internal_net=3D"fec0:0:0:d::0/32" > > nat on bge2 inet6 from fec0:0:0:d::1 to any -> 2001:b90:ee00:ff0b::1:3 > > ---------- /etc/pf.conf ------------- end > > > > tsrmldgw3# pfctl -s state > > No ALTQ support in kernel > > ALTQ related functions disabled > > self udp fec0:0:0:d::1[15001] -> 2001:b90:ee00:ff0b::1:3[52925] -> > > 2001:b90:ee00:51b:208:4ff:fe28:a1d2[8001] SINGLE:NO_TRAFFIC This state entry indicates that the outgoing packet went out okay. Can you= =20 verify/falsify with tcpdump if it really did? You might also want to check = at=20 the remote to see if the packet makes it there. If yes, check for the reply= =20 on your gateway. If one of the packets caries IPv6 option headers it might get dropped due t= o a=20 recently discovered bug: This is fixed in pf.c HEAD >=3D 1.24 and RELENG_5 >=3D 1.18.2.5 > Works here. Tested on FreeBSD-CURRENT sparc64 > mars# pfctl -ss > self tcp fec0:0:0:d::1[49152] -> 2001:b90:ee00:ff0b::1[51223] -> > 2001:b90:ee00:ff0b::10[22] ESTABLISHED:ESTABLISHED self tcp > fec0:0:0:d::1[22] <- 2001:b90:ee00:ff0b::1[22] <- > 2001:b90:ee00:ff0b::10[49154] ESTABLISHED:ESTABLISHED > > mars# pfctl -sr > pass in on hme0 inet6 proto tcp all flags S/SA keep state > pass out on hme0 inet6 proto tcp all flags S/SA keep state > mars# pfctl -sn > nat on hme0 inet6 proto tcp from ! (hme0) to any -> 2001:b90:ee00:ff0b::1 > rdr on hme0 inet6 proto tcp from any to any port =3D ssh -> fec0:0:0:d::1 > port 22 > > Due to lack of hardware and IPv6 setup I tested ssh connection. But > there is no reason UDP don't work. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1193678.LWyBo8uWZU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBB22BkXyyEoT62BG0RAma0AJ0e11Nz4lpkQBNqnFjT8dyw9ykYWwCfXPHt 0dWuofaNl4fXySoonbgjiEM= =A5lc -----END PGP SIGNATURE----- --nextPart1193678.LWyBo8uWZU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501050435.00711.max>