Hello, misc! :-) At the moment I'm a bit stuck with a problem I try to solve with PF on OpenBSD -current.
I use random IPv6 addresses for most outgoing IPv6 connections from the LAN, which works just fine using nat like this: nat on gif0 inet6 from ! (gif0) to any -> 2001:aaaa:bbbb:cccc::/64 random When connecting to an IRC server, the IRC server tries to connect back to this address on port 113 (auth) and and expects at least some kind of answer, like when the port is blocked. With my default "block drop in" rule the IRC server gets no answer and it takes some time until the connection times out. With a fixed IP address (above nat rule commented out), such a rule works fine to avoid to have to wait for the timeout: block return in quick on gif0 inet6 proto tcp from any to $client port 113 The IRC server is happy to get an answer and connects me quickly. What I try to do now, is to use random IP addresses and to add each address in use to a table and block port 113 just for the addresses in use, like this: table <ip6_auth> persist block return in quick on gif0 inet6 proto tcp from any to <ip6_auth> port 113 This works just fine, as soon as the IPv6 address currently in use gets into the table. To achieve this, I tried: pass out on gif0 inet6 proto tcp from any to any port 6600:7000 keep state (max-src-conn 0, overload <ip6_auth>) Looks good, but does not work. PF complains: " 'max-src-conn' must be > 0". With "max-src-conn 1" the IP address only gets added to the table with the second connection, which doesn't help me in my case. I'd need to have the address in the table as soon as the first connection is build up. I tried with max-src-conn-rate, too, but also there values > 0 are required. My question is now: do I look into the right direction (using a table)? Is this the right way to achieve what I want? Which basically is, to use an outgoing connection from a specific IP address as a trigger to open/block/etc. other ports on this IP address? Or is there another way to do it which I didn't see so far? As far as I know I saw this functionality in the menus of some cheap router boxes already, called "Port Range Triggering" or so there, which probably means that this problem is relatively common, so there's probably an easy solution using PF, I just don't see it yet. Thank you for any help with this! Tas.
