Re: Need a PF consultant
Hello,
Thanks for all your replies.
Donald, the IPv6 dns is working fine in this situation.
Kristof, here's what I originally had in my pf.conf file for ICMP:
pass out quick on $ext_if proto { icmp, icmp6 } modulate state
pass in quick on $ext_if proto { icmp, icmp6 }
I commented that out, added in your rules, disabled and reenabled PF,
and did a ping6. Good news is the first time I tried ping6 it worked,
bad news is the second time I tried it about two minutes later it sent
out the ping6 but didn't return anything, zero packets received. A few
minutes later doing the UDP connect no route to host thing again.
While the original focus of my question was IPv6 would you be willing
to assist me with my general configuration? As I said I can go in to
much more detail on this.
Thanks.
Dave.
On 6/21/20, Kristof Provost wrote:
> On 21 Jun 2020, at 23:11, David Mehler wrote:
>> Anyone a pf expert wanting to make some extra money?
>>
>> I'm in need of consulting, I'm having an issue with my PF
>> configuration, I've got a much longer message with output and netstat
>> and all that, if anyone is interested email me privately with rates
>> and I'll send the details, but in brief I've got FreeBSD 12.1 going,
>> my provider gives me an IPv6 address, on boot if I ping6 out I get a
>> UDP connect no route to host message, disable and reenable pf and I
>> can ping6 out as root, and as a user, for about five minutes, then I
>> start getting packets are able to be sent out, but nothing comes back.
>> About five minutes later again as root and as a user I'm getting the
>> UDP connect no route to host message.
>>
> That sounds a lot like you’re dropping router and/or neighbour
> advertisements.
>
> Make sure you’ve got at least the following pass rules:
>
> # IPv6 link-local traffic
> pass quick inet6 proto icmp6 from :: to ff02::/16
> pass quick inet6 proto icmp6 from fe80::/10 to fe80::/10
> pass quick inet6 proto icmp6 from fe80::/10 to ff02::/16
>
> # IPv6 Traffic That Must Not Be Dropped (RFC4890 4.3.1)
> pass quick inet6 proto icmp6 from any to any icmp6-type { unreach,
> toobig }
> pass quick inet6 proto icmp6 from any to any icmp6-type timex code 0
> pass quick inet6 proto icmp6 from any to any icmp6-type { paramprob
> code 1, paramprob code 2 }
> pass quick inet6 proto icmp6 from any to any icmp6-type { echoreq,
> echorep }
>
> # IPv6 Traffic That Normally Should Not Be Dropped (RFC4890 4.3.2)
> pass quick inet6 proto icmp6 from any to any icmp6-type timex code 1
> pass quick inet6 proto icmp6 from any to any icmp6-type paramprob code
> 0
>
> # IPv6 local configuration (ND, DAD, RS, etc...)
> pass quick inet6 proto icmp6 from any to any icmp6-type { routersol,
> routeradv }
> pass quick inet6 proto icmp6 from any to any icmp6-type { neighbrsol,
> neighbradv }
> pass quick inet6 proto icmp6 from any to any icmp6-type { 141, 142 }
> pass quick inet6 proto icmp6 from any to any icmp6-type { listqry,
> listenrep, listendone, 143 }
> pass quick inet6 proto icmp6 from any to any icmp6-type { 148, 149 }
> pass quick inet6 proto icmp6 from any to any icmp6-type { 151, 152, 153
> }
>
> At a guess the routersol/routeradv and neighbrsol/neigbradv are the ones
> you’re running into, but you likely want to allow all of these.
>
> Best regards,
> Kristof
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: Need a PF consultant
On 21 Jun 2020, at 23:11, David Mehler wrote:
Anyone a pf expert wanting to make some extra money?
I'm in need of consulting, I'm having an issue with my PF
configuration, I've got a much longer message with output and netstat
and all that, if anyone is interested email me privately with rates
and I'll send the details, but in brief I've got FreeBSD 12.1 going,
my provider gives me an IPv6 address, on boot if I ping6 out I get a
UDP connect no route to host message, disable and reenable pf and I
can ping6 out as root, and as a user, for about five minutes, then I
start getting packets are able to be sent out, but nothing comes back.
About five minutes later again as root and as a user I'm getting the
UDP connect no route to host message.
That sounds a lot like you’re dropping router and/or neighbour
advertisements.
Make sure you’ve got at least the following pass rules:
# IPv6 link-local traffic
pass quick inet6 proto icmp6 from :: to ff02::/16
pass quick inet6 proto icmp6 from fe80::/10 to fe80::/10
pass quick inet6 proto icmp6 from fe80::/10 to ff02::/16
# IPv6 Traffic That Must Not Be Dropped (RFC4890 4.3.1)
pass quick inet6 proto icmp6 from any to any icmp6-type { unreach,
toobig }
pass quick inet6 proto icmp6 from any to any icmp6-type timex code 0
pass quick inet6 proto icmp6 from any to any icmp6-type { paramprob
code 1, paramprob code 2 }
pass quick inet6 proto icmp6 from any to any icmp6-type { echoreq,
echorep }
# IPv6 Traffic That Normally Should Not Be Dropped (RFC4890 4.3.2)
pass quick inet6 proto icmp6 from any to any icmp6-type timex code 1
pass quick inet6 proto icmp6 from any to any icmp6-type paramprob code
0
# IPv6 local configuration (ND, DAD, RS, etc...)
pass quick inet6 proto icmp6 from any to any icmp6-type { routersol,
routeradv }
pass quick inet6 proto icmp6 from any to any icmp6-type { neighbrsol,
neighbradv }
pass quick inet6 proto icmp6 from any to any icmp6-type { 141, 142 }
pass quick inet6 proto icmp6 from any to any icmp6-type { listqry,
listenrep, listendone, 143 }
pass quick inet6 proto icmp6 from any to any icmp6-type { 148, 149 }
pass quick inet6 proto icmp6 from any to any icmp6-type { 151, 152, 153
}
At a guess the routersol/routeradv and neighbrsol/neigbradv are the ones
you’re running into, but you likely want to allow all of these.
Best regards,
Kristof
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: Need a PF consultant
David, Run a check on the IPv6 DNS server you are using. I live in eastern Tennessee and Namebench -6 is unable to find a reliable server for IPv6. I am no expert but that turned out to be the issue with my PF Firewall setup. No harm checking. Regards, Don Mickunas On Sun, Jun 21, 2020, at 17:11, David Mehler wrote: > Hello, > > Anyone a pf expert wanting to make some extra money? > > I'm in need of consulting, I'm having an issue with my PF > configuration, I've got a much longer message with output and netstat > and all that, if anyone is interested email me privately with rates > and I'll send the details, but in brief I've got FreeBSD 12.1 going, > my provider gives me an IPv6 address, on boot if I ping6 out I get a > UDP connect no route to host message, disable and reenable pf and I > can ping6 out as root, and as a user, for about five minutes, then I > start getting packets are able to be sent out, but nothing comes back. > About five minutes later again as root and as a user I'm getting the > UDP connect no route to host message. > > I've got two different rulesets. > > I'd appreciate any help. > > Thanks. > Dave. > ___ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" > ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Need a PF consultant
Hello, Anyone a pf expert wanting to make some extra money? I'm in need of consulting, I'm having an issue with my PF configuration, I've got a much longer message with output and netstat and all that, if anyone is interested email me privately with rates and I'll send the details, but in brief I've got FreeBSD 12.1 going, my provider gives me an IPv6 address, on boot if I ping6 out I get a UDP connect no route to host message, disable and reenable pf and I can ping6 out as root, and as a user, for about five minutes, then I start getting packets are able to be sent out, but nothing comes back. About five minutes later again as root and as a user I'm getting the UDP connect no route to host message. I've got two different rulesets. I'd appreciate any help. Thanks. Dave. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
