Hi, I have ipf version 4.1.28 on my system (FreeBSD7.2). I did search the archive and found something similar:
http://marc.info/?l=ipfilter&m=101246930105753&w=2 In the rc.conf file I have ipv6_ipfilter_rules="/etc/ipf6.base.rules". The end part of the rules file looks like this: ########################## .... .... pass in quick proto ipv6-icmp all icmp-type 134 #Router advertisement pass in quick proto ipv6-icmp all icmp-type 135 #Neighbor solicitation pass in quick proto ipv6-icmp all icmp-type 136 #Neighbor advertisement pass in quick proto ipv6-icmp all icmp-type 137 #Redirect from routers pass in quick proto ipv6-icmp all icmp-type 2 #packet too big block in quick all pass out quick proto tcp all keep state pass out quick proto udp all keep state pass out quick proto ipv6-icmp all block in quick proto ipv6-icmp all ########################## This is what ipfstat prints out: bash-3.2$ sudo ipfstat -6io pass out quick on lo0 all pass out quick on lofb all pass out quick proto tcp/udp from any to any port = domain keep state pass out quick proto tcp from any to any keep state pass out quick proto udp from any to any keep state pass out quick proto ipv6-icmp from any to any pass in quick on lo0 all pass in quick on lofb all pass in quick from any to any with frag pass in quick proto tcp/udp from any to any port = ntp keep state pass in quick proto tcp from any to any port = https keep state pass in quick proto tcp from any to any port = telnet keep state pass in quick proto tcp from any to any port = ssh keep state pass in quick proto tcp/udp from any to any port = sunrpc keep state block return-rst in quick proto tcp from any to any port = auth block in quick proto udp from any to any port = auth block return-rst in quick proto tcp from any to any port = echo block return-rst in quick proto tcp from any to any port = http block return-rst in quick proto tcp from any to any port = kshell block in quick proto udp from any to any port = http pass in quick proto tcp/udp from any to any port > 1023 keep state pass in quick proto ipv6-icmp from any to any pass in quick proto ipv6-icmp from any to any pass in quick proto ipv6-icmp from any to any pass in quick proto ipv6-icmp from any to any pass in quick proto ipv6-icmp from any to any block in quick all block in quick proto ipv6-icmp from any to any Is it that ipfstat is not displaying the icmp-type for IPv6 or there's something that's missing? Please let me know. Questions 2: While specifying IPv4 and Ipv6 rules in two different files, is it a must to include TCP rules in both (and make them same to have same behavior)? Best regards,
