Peter Schuller wrote:
> Hello,
> I am using pf on a 6.1 machine. I have a tunneling interface (gif0) for my 
> IPv6 feed. The problem I am having is connecting to myself in spite of 
> firewalling.
> I am allowing traffic on port 22 to my public ipv6 address. I am also 
> allowing 
> all outgoing traffic on the tunneling interface, with 'keep state'.
> ping6:ing myself works, but connecting to port 22 does not. The intial SYN 
> gets through and is responded to by an ACK, but that ACK is seemingly 
> dropped. This inspite of the fact that 'pfctl -s state' shows a tracked 
> connection for the relevant port pair.
> I can work around it by allowing all packets from my own IP on the tunneling 
> interface, but as far as I know this should not be required. That is, 
> connection tracking should be working even for local connections on a 
> particular interface - correct?
> Note that connecting to port 22 works perfectly from outside IP:s (I had 
> someone external verify this) without any special casing of the rules. That 
> is, I only have the usual rules for allowing the incoming packets to port 22, 
> and the rule allowing outgoing packets with 'keep state'. The fact that this 
> allows successful establishment to port 22 by an external party suggests to 
> me that I have not made some trivial misstake in the rule - yet connections 
> to myself do not work.
> My question is whether there are any known issues that this sounds like - or 
> of course if there is some reason why this is not supposed to work by design.

Are you using antispoofing rules on your external interface?  If you've got
something like this in your ruleset:

   antispoof log quick for $ext_if

Then it will expand into a series of rules containing the following when you 

block drop in log quick on ! em0 inet from to any

Where is the address of the network your external interface
(em0) is attached to.  (Although the example I show is for IPv4, exactly the
same applies for IPv6) End result is that you cannot connect to a service
listening on your external IP from the box itself, because that does not
result in inbound packets traversing the em0 interface.  And it's a 'quick'
rule, so you can't override it by adding a more specific rule later in the

In general, use antispoof for the loopback as a standard part of any ruleset
you write.  Antispoof on other interfaces should be considered carefully and
only applied where necessary.



Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP:         Ramsgate
                                                      Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to