Date: Thu, 31 Jul 2008 18:26:51 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: Tilman Linneweh <arved@arved.at> Subject: Re: pf dropping packets despite pass all rule Message-ID: <200807311826.51457.max@love2party.net> In-Reply-To: <20080731153506.GA61317@arved.priv.at> References: <20080731153506.GA61317@arved.priv.at>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 31 July 2008 17:35:06 Tilman Linneweh wrote: > Hi list, > > My setup: > > LAN -> Router with PF <- gif tunnel with IPSEC -> Server > > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, > but TCPv6 from LAN to Server does not work, unless i disable PF. > > Excerpt from pf.conf: > pass in quick on gif0 all keep state > pass out quick on gif0 all keep state > > pflog0 contains some strange packets: > http://arved.priv.at/~arved/strangepackets.pcap That dump is useless, please cap with "-s0". > IPSEC_FILTERTUNNEL does not make a difference. > > I don't understand why pf is dropping something on gif0. And i can't decode > what kind of packets these are, and why they are necessary for TCPv6. > > Any ideas? I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you really want to trust gif0 completely, you could simply add "skip on gif0" and pf will not mess with it at all. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807311826.51457.max>