From owner-freebsd-pf@FreeBSD.ORG Sat Dec 12 20:37:28 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 88C7B106566B for ; Sat, 12 Dec 2009 20:37:28 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.10]) by mx1.freebsd.org (Postfix) with ESMTP id 04FBE8FC17 for ; Sat, 12 Dec 2009 20:37:27 +0000 (UTC) Received: from vampire.homelinux.org (dslb-088-066-002-219.pools.arcor-ip.net [88.66.2.219]) by mrelayeu.kundenserver.de (node=mrbap2) with ESMTP (Nemesis) id 0MNvNj-1NPIwy2QaB-007dza; Sat, 12 Dec 2009 21:37:26 +0100 Received: (qmail 80774 invoked from network); 12 Dec 2009 20:37:20 -0000 Received: from f8x64.laiers.local (192.168.4.188) by ns1.laiers.local with SMTP; 12 Dec 2009 20:37:20 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sat, 12 Dec 2009 21:37:19 +0100 User-Agent: KMail/1.12.4 (FreeBSD/8.0-RELEASE; KDE/4.3.4; amd64; ; ) References: <20091212012507.GD27716@x96.org> In-Reply-To: <20091212012507.GD27716@x96.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200912122137.19258.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1//P8ZAXEd7IYD5Fpetyw9LB1jryHEYiUSsyri Z2gyxLKNq+mHUGKsTdBjqXWu6rfIMf2mIy0bm+1WqW7nnAHf+w kk5zQ3tNDlzmOxh+gvIJw== Cc: Subject: Re: IPv6, PF problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2009 20:37:28 -0000 On Saturday 12 December 2009 02:25:08 Aaron Stellman wrote: > Hello there, > Here is the problem I've encountered on a dual stack amd64 FreeBSD 8.0p1 > machine. > > What works: > pass in on $ext_if proto tcp to port 21 > > What doesn't work: > pass in on $ext_if proto tcp to ($ext_if) port 21 > > here is what's logged when it doesn't work: > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size > 1515 bytes > 00:00:00.000000 rule 0/0(match): block in on bge0: > 2001:1938:235:beef:21b:21ff:fe37:d799.11220 > > 2001:1938:235:dead:226:b9ff:fe75:6e5e.21: Flags [S], seq 413041093, win > 65535, options [mss 1440,nop,nop,sackOK,nop,wscale 1,nop,nop,TS val > 3435338387 ecr 0], length 0 What does "pfctl -vvsr" give you for the rule? It should include the number of addresses assigned to the interface in the braces - e.g. "... (bge0:4) ..." In addition, can you try to add separate rules for inet and inet6 - i.e. pass in on $ext_if inet proto tcp to ($ext_if) port 21 pass in on $ext_if inet6 proto tcp to ($ext_if) port 21 and check the number of addresses with pfctl -vvsr? > ext_if="bge0" > > epsilon# ifconfig -a > bge0: flags=8843 metric 0 mtu > 1500 > options=9b > ether 00:26:b9:75:6e:5e > inet 10.10.11.5 netmask 0xffffffe0 broadcast 10.10.11.31 > inet6 fe80::226:b9ff:fe75:6e5e%bge0 prefixlen 64 scopeid 0x1 > inet 10.10.11.8 netmask 0xffffffe0 broadcast 10.10.11.31 > inet6 2001:1938:235:dead:226:b9ff:fe75:6e5e prefixlen 64 > autoconf > media: Ethernet autoselect (1000baseT ) > status: active > lo0: flags=8049 metric 0 mtu 16384 > options=3 > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 > pflog0: flags=0<> metric 0 mtu 33152 > > > Notice, that it works as expected with IPv4; meaning that when I use "to > ($ext_if)" and use ipv4 to connect, connection passes through, unlike > IPv6. > Also, OpenBSD pf works as expected with both IPv{4,6} > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > !DSPAM:4b22f113621191134040011! >