Another observation as I look into this, when I remove /etc/pf.conf and use the initial temporary pf RULES set in /etc/rc a couple of unexpected things happen. The `ping6 $gateway` workaround in /etc/rc right before 'starting early daemons:' doesn't work, ping6 reports No route to host. There is no rule echoreq for inet6.
But, after the system is up, I can ssh to it briefly before the ssh session is frozen and disconnected. Disabling pf (from the console) when ssh has frozen will immediately unfreeze the ssh session so it will not disconnect. Is that the expected behavior of these initial temporary pf RULES? (These initial rules also have the NDP passes that Claudio suggested.) block drop all pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol pass out inet6 proto ipv6-icmp all icmp6-type routersol pass out inet6 proto udp from any port = 546 to any port = 547 pass out inet proto icmp all icmp-type echoreq pass out inet proto udp from any port = 68 to any port = 67 pass out proto tcp from any to any port = 53 flags S/SA pass out proto udp from any to any port = 53 pass in inet6 proto ipv6-icmp all icmp6-type neighbradv pass in inet6 proto ipv6-icmp all icmp6-type routeradv pass in inet6 proto udp from any port = 547 to any port = 546 pass in proto tcp from any to any port = 22 flags S/SA pass in inet proto udp from any port = 67 to any port = 68 pass on lo0 all flags S/SA pass in proto carp all keep state (no-sync) pass out proto carp all !received-on any keep state (no-sync)
