Penned by Michael Mercier on 20120812 12:03.16, we have: | Hello, | | I am seeing a behavior in pf that I don't understand. | | # uname -mrvp | 5.0 GENERIC#36 sparc64 SUNW,UltraSPARC-IIIi (rev 2.4) @ 1062 MHz | | When I have the following configured: | | (not complete configuration) | | ext_if = "hme0" | int_if = "bge0" | | ipv6gws = "{ a.b.c.192 a.b.c.193 a.b.c.194 a.b.c.195 }" | | block log all | | # permit proto 41 to/from ipv6 gws | #pass log quick on $ext_if inet proto 41 from any to any | pass in log quick on $ext_if inet proto 41 from $ipv6gws to ($ext_if) | pass out log quick on $ext_if inet proto 41 from ($ext_if) to $ipv6gws
Try adding: pass log quick on gif inet6 Just because you pass the outer tunnel traffic doesn't mean you're passing the inner tunnel traffic. | pfctl -s rules produces: | pass in log quick on hme0 inet proto ipv6 from a.b.c..192 to (hme0) | pass in log quick on hme0 inet proto ipv6 from a.b.c..193 to (hme0) | pass in log quick on hme0 inet proto ipv6 from a.b.c..194 to (hme0) | pass in log quick on hme0 inet proto ipv6 from a.b.c..195 to (hme0) | pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..192 | pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..193 | pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..194 | pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..195 | | gif interface: | ifconfig gif5 create | ifconfig gif5 tunnel a.b.c.195 x.y.z.38 | ifconfig gif5 up | route -n add -inet6 default ::1 -ifp gif5 | | but this traffic is blocked by pf ($ext_if - hme0 is x.y.z.38): | | 20:31:03.536279 rule 11/(match) [uid 0, pid 28111] block in on hme0: | a.b.c.195 > x.y.z.38: a:b:c:d::e > a:c:f:13:111:512f:f07a:8193: | [|tcp] (len 28, hlim 57) (ttl 251, id 37052, len 88) | | rule 11 is "block log all" from above | | but if I uncomment the rule: | pass log quick on $ext_if inet proto 41 from any to any | traffic passes. | | NOTE: I have also tried modifying the rules to have $ext_if instead | of ($ext_if) with the same results. | | My question is, what is being blocked by the rule? | | Thanks, | Mike -- Todd Fries .. t...@fries.net _____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt