* Max Laier [2008-07-31 18:27]: > > LAN -> Router with PF <- gif tunnel with IPSEC -> Server > > > > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, > > but TCPv6 from LAN to Server does not work, unless i disable PF. > > > > Excerpt from pf.conf: > > pass in quick on gif0 all keep state > > pass out quick on gif0 all keep state > > > > pflog0 contains some strange packets: > > http://arved.priv.at/~arved/strangepackets.pcap > > That dump is useless, please cap with "-s0".
Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap > > IPSEC_FILTERTUNNEL does not make a difference. > > > > I don't understand why pf is dropping something on gif0. And i can't decode > > what kind of packets these are, and why they are necessary for TCPv6. > > > > Any ideas? > > I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you really > want to trust gif0 completely, you could simply add "skip on gif0" and pf > will > not mess with it at all. > Ok, allow-opts does not change anything. skip on gif0 works. pfctl -si confirms that there are packets blocked. Status: Enabled for 0 days 02:37:07 Debug: Urgent Interface Stats for gif0 IPv4 IPv6 Bytes In 0 261859 Bytes Out 0 207299 Packets In Passed 0 2347 Blocked 0 90 Packets Out Passed 0 2185 Blocked 0 0 State Table Total Rate current entries 31 searches 44046 4.7/s inserts 2768 0.3/s removals 2737 0.3/s Counters match 13425 1.4/s bad-offset 0 0.0/s [...rest is all zeros] ...and later: status: Enabled for 0 days 02:37:21 Debug: Urgent Interface Stats for gif0 IPv4 IPv6 Bytes In 0 263327 Bytes Out 0 208711 Packets In Passed 0 2356 Blocked 0 96 Packets Out Passed 0 2197 Blocked 0 0 State Table Total Rate current entries 30 searches 44128 4.7/s inserts 2772 0.3/s removals 2742 0.3/s Counters match 13451 1.4/s bad-offset 0 0.0/s So yeah, thanks for the "skip on" hint, i can do the filtering on the non-gif interfaces, but i still would like to know what's going on, and why these packets are blocked. regards arved _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
