Penned by Michael Mercier on 20120812 12:03.16, we have:
| Hello,
|
| I am seeing a behavior in pf that I don't understand.
|
| # uname -mrvp
| 5.0 GENERIC#36 sparc64 SUNW,UltraSPARC-IIIi (rev 2.4) @ 1062 MHz
|
| When I have the following configured:
|
| (not complete configuration)
|
| ext_if = "hme0"
| int_if = "bge0"
|
| ipv6gws = "{ a.b.c.192 a.b.c.193 a.b.c.194 a.b.c.195 }"
|
| block log all
|
| # permit proto 41 to/from ipv6 gws
| #pass log quick on $ext_if inet proto 41 from any to any
| pass in log quick on $ext_if inet proto 41 from $ipv6gws to ($ext_if)
| pass out log quick on $ext_if inet proto 41 from ($ext_if) to $ipv6gws
Try adding:
pass log quick on gif inet6
Just because you pass the outer tunnel traffic doesn't mean you're passing the
inner tunnel traffic.
| pfctl -s rules produces:
| pass in log quick on hme0 inet proto ipv6 from a.b.c..192 to (hme0)
| pass in log quick on hme0 inet proto ipv6 from a.b.c..193 to (hme0)
| pass in log quick on hme0 inet proto ipv6 from a.b.c..194 to (hme0)
| pass in log quick on hme0 inet proto ipv6 from a.b.c..195 to (hme0)
| pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..192
| pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..193
| pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..194
| pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..195
|
| gif interface:
| ifconfig gif5 create
| ifconfig gif5 tunnel a.b.c.195 x.y.z.38
| ifconfig gif5 up
| route -n add -inet6 default ::1 -ifp gif5
|
| but this traffic is blocked by pf ($ext_if - hme0 is x.y.z.38):
|
| 20:31:03.536279 rule 11/(match) [uid 0, pid 28111] block in on hme0:
| a.b.c.195 > x.y.z.38: a:b:c:d::e > a:c:f:13:111:512f:f07a:8193:
| [|tcp] (len 28, hlim 57) (ttl 251, id 37052, len 88)
|
| rule 11 is "block log all" from above
|
| but if I uncomment the rule:
| pass log quick on $ext_if inet proto 41 from any to any
| traffic passes.
|
| NOTE: I have also tried modifying the rules to have $ext_if instead
| of ($ext_if) with the same results.
|
| My question is, what is being blocked by the rule?
|
| Thanks,
| Mike
--
Todd Fries .. t...@fries.net
_____________________________________________
| \ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
| 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net
| "..in support of free software solutions." \ sip:4052279...@ekiga.net
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt
