On Sat, 03 Jul 2010 15:29:33 +0200, Reinhard Haller wrote: > Hi, > > I recently discovered a strange behavior on my border router. In the > following ruleset: > > block log all > block in log quick from urpf-failed to any pass quick on $int_if inet6 > proto udp from any to any port ripng block drop on !$int_if inet6 proto > udp from any to any port ripng > > all occurrences of > > fe80::<mac-address>%$int_if -> ff02::9 > > were blocked by the urpf-failed rule. > > Any suggestuions why this happens?
Probably this change: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c#rev1.625 seems it's not yet merged to freebsd. I'm using following as a temporary solution (adapted from rc.firewall): block log all anchor "ipv6-link-local" quick inet6 { pass proto icmp6 from :: to ff02::/16 pass proto icmp6 from fe80::/10 to fe80::/10 pass proto icmp6 from fe80::/10 to ff02::/16 pass from fe80::/10 to ff02::/16 pass from (self:network) to ff02::/16 pass proto udp from fe80::/10 to (self) port dhcpv6-client } block in log quick from urpf-failed _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
