Am 20.12.2010 um 21:54 schrieb Stuart Henderson:
Increase your snaplen, and you'll see more details which might show
you
what you need to pass, e.g. tcpdump -nevvipflog0 -s500
-----
block in on enc0: 1.2.3.4 > 5.6.7.8: 2001:1234:2:10::b > 2001:7fe::53:
icmp6: echo request
-----
The last rule should take care of it:
-----
match on enc0 all scrub (max-mss 1300)
block return log all label "block all"
...
pass quick inet6 proto icmp6 icmp6-type \
{ neighbradv, routeradv, neighbrsol, fqdnreq, echoreq }
-----
but the echoreq is never evaluated.
Even a ping6 from the tunnel to one of the interfaces of the vpn
gateway is blocked.
Axel
---
[email protected] PGP-Key:29E99DD6 +49 151 2300 9283 computing @
chaos claudius
