[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: openbsd 3.2, pf, and ipv6 tunnels

To: misc@openbsd.org
Subject: Re: openbsd 3.2, pf, and ipv6 tunnels
From: "Asbjorn L. Johansen" <notsane@sveitt.org>
Date: Sun, 03 Aug 2003 13:38:51 +0200
References: <E19jAtx-0006J7-MU@skipper.averillpark.net>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030716 Debian/1.4-2.he-1

Richard Welty wrote:
> i have a 3.2 system functioning as my home firewall right now. i'm
> attempting to set up an ipv6 tunnel using the hurrican electric
> tunnelbroker system, and having hacked my way past various HE issues, i'm
> now looking at a pf issue i don't quite understand.
> 
> specifically, when from the firewall box, i use ping6 to hit the other end
> of the tunnel, the echo replies are blocked.
> 
> at first, i had a simple pf rule on the gif0 interface to pass back icmp,
> like so:
> 
> pass in log quick on $tunnel_if inet6 proto ipv6-icmp all
>                          ipv6-icmp-type { 128, 129, 135, 136 }
> 
> this rule was being skipped, and the icmp traffic was being rejected with
> this catch all from further down in pf.conf:
> 
> block in log quick on $ext_if all
> 
> i looked at the output from running tcpdump on pflog0, and noticed that the
> icmp traffic was being characterized this way:
> 
> Aug 03 04:36:38.340291 rule 30/0(match): pass out on gif0:
>      2001:470:1f00:ffff::2b9 > 2001:470:1f00:ffff::2b8: icmp6: echo request
> Aug 03 04:36:38.438429 rule 18/0(match): block in on ep1:
>      2001:470:1f00:ffff::2b8 > 2001:470:1f00:ffff::2b9: icmp6: echo reply (encap)
> 
> that is, out on gif0 ($tunnel_if in pf.conf) and coming back on ep1
> ($ext_if) 
> 
> so i added a pass in log quick on $ext_if in addition to the pass in on
> $tunnel_if
> 
> no effect, the traffic is still being blocked on rule 18, which is the
> block in log quick on $ext_if all
> 
> the relevant block of rules (from pfctl -s rules) is as follows:
> 
> @8 pass in log quick on gif0 inet6 proto ipv6-icmp all ipv6-icmp-type neighbradv
> @9 pass in log quick on gif0 inet6 proto ipv6-icmp all ipv6-icmp-type neighbrsol
> @10 pass in log quick on gif0 inet6 proto ipv6-icmp all ipv6-icmp-type echorep
> @11 pass in log quick on gif0 inet6 proto ipv6-icmp all ipv6-icmp-type echoreq
> @12 pass in log quick on ep1 inet6 proto ipv6-icmp all ipv6-icmp-type neighbradv
> @13 pass in log quick on ep1 inet6 proto ipv6-icmp all ipv6-icmp-type neighbrsol
> @14 pass in log quick on ep1 inet6 proto ipv6-icmp all ipv6-icmp-type echorep
> @15 pass in log quick on ep1 inet6 proto ipv6-icmp all ipv6-icmp-type echoreq
> @16 block return-rst in log quick on ep1 proto tcp all
> @17 block return-icmp in log quick on ep1 proto udp all
> @18 block in log quick on ep1 all
> 
> so just how do i get this traffic to pass through?

Shouldn't you have a rule like this:
pass in [log] quick on $ext_if inet proto ipv6 from $tbipv4 to $ext_addr

That is what I had to use to get tunneled ipv6 traffic through.
-- 
Asbjørn L. Johansen
notsane@sveitt.org

Follow-Ups:
- Re: openbsd 3.2, pf, and ipv6 tunnels
  - From: Richard Welty <rwelty@averillpark.net>

References:
- openbsd 3.2, pf, and ipv6 tunnels
  - From: Richard Welty <rwelty@averillpark.net>

Prev by Date: Hybrid is up and running
Next by Date: Re: Serial Mouse-Device on X
Prev by thread: openbsd 3.2, pf, and ipv6 tunnels
Next by thread: Re: openbsd 3.2, pf, and ipv6 tunnels
Index(es):
- Date
- Thread