[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

openbsd 3.2, pf, and ipv6 tunnels

To: misc@openbsd.org
Subject: openbsd 3.2, pf, and ipv6 tunnels
From: Richard Welty <rwelty@averillpark.net>
Date: Sun, 3 Aug 2003 00:55:25 -0400 (EDT)
Content-Disposition: INLINE

i have a 3.2 system functioning as my home firewall right now. i'm
attempting to set up an ipv6 tunnel using the hurrican electric
tunnelbroker system, and having hacked my way past various HE issues, i'm
now looking at a pf issue i don't quite understand.

specifically, when from the firewall box, i use ping6 to hit the other end
of the tunnel, the echo replies are blocked.

at first, i had a simple pf rule on the gif0 interface to pass back icmp,
like so:

pass in log quick on $tunnel_if inet6 proto ipv6-icmp all
                         ipv6-icmp-type { 128, 129, 135, 136 }

this rule was being skipped, and the icmp traffic was being rejected with
this catch all from further down in pf.conf:

block in log quick on $ext_if all

i looked at the output from running tcpdump on pflog0, and noticed that the
icmp traffic was being characterized this way:

Aug 03 04:36:38.340291 rule 30/0(match): pass out on gif0:
     2001:470:1f00:ffff::2b9 > 2001:470:1f00:ffff::2b8: icmp6: echo request
Aug 03 04:36:38.438429 rule 18/0(match): block in on ep1:
     2001:470:1f00:ffff::2b8 > 2001:470:1f00:ffff::2b9: icmp6: echo reply (encap)

that is, out on gif0 ($tunnel_if in pf.conf) and coming back on ep1
($ext_if) 

so i added a pass in log quick on $ext_if in addition to the pass in on
$tunnel_if

no effect, the traffic is still being blocked on rule 18, which is the
block in log quick on $ext_if all

the relevant block of rules (from pfctl -s rules) is as follows:

@8 pass in log quick on gif0 inet6 proto ipv6-icmp all ipv6-icmp-type neighbradv
@9 pass in log quick on gif0 inet6 proto ipv6-icmp all ipv6-icmp-type neighbrsol
@10 pass in log quick on gif0 inet6 proto ipv6-icmp all ipv6-icmp-type echorep
@11 pass in log quick on gif0 inet6 proto ipv6-icmp all ipv6-icmp-type echoreq
@12 pass in log quick on ep1 inet6 proto ipv6-icmp all ipv6-icmp-type neighbradv
@13 pass in log quick on ep1 inet6 proto ipv6-icmp all ipv6-icmp-type neighbrsol
@14 pass in log quick on ep1 inet6 proto ipv6-icmp all ipv6-icmp-type echorep
@15 pass in log quick on ep1 inet6 proto ipv6-icmp all ipv6-icmp-type echoreq
@16 block return-rst in log quick on ep1 proto tcp all
@17 block return-icmp in log quick on ep1 proto udp all
@18 block in log quick on ep1 all

so just how do i get this traffic to pass through?

thanks,
  richard
--
Richard Welty                                         rwelty@averillpark.net
Averill Park Networking                                         518-573-7592
    Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security

Follow-Ups:
- Re: openbsd 3.2, pf, and ipv6 tunnels
  - From: "Asbjorn L. Johansen" <notsane@sveitt.org>

Prev by Date: Re: Driver development, recommended reading?
Next by Date: Hybrid is up and running
Prev by thread: Re: Driver development, recommended reading?
Next by thread: Re: openbsd 3.2, pf, and ipv6 tunnels
Index(es):
- Date
- Thread