-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Are the encapsulated packets being allowd through wanif OK? Remember
that the same packet will be IPv4 at some points, and IPv6 at others
depending which side of encapsulation they're at. You'll probably need
IPv4 rules on wanif and IPv6 rules on ip6if.
Have you used pflog to see if anything is being blocked?
Dunc
Matt S wrote:
> Hello,
>
> Could someone tell me why, given the following ruleset, I cannot get to my
> machine from the outside on ipv6? Obviously, I just masked out the ipv6
> address for security. Any insight would be much appreciated. Normally, I
> am decent with pf when it comes to ipv4. But, I am utterly lost. Perhaps I
> don't understand what the gif0 interface is truely doing. I know that I
> have it configured to encapsulate IPv6 traffic in IPv4 but I don't know how
> to troubleshoot it well.
>
> wanif="tun0"
> ip6if="gif0"
> intif="em0"
> intnet4="10.40.60.0/24"
> host="XXXX:XXXX:X:XXX::1"
> tcp_services="{ssh,domain,mail,ftp,http,https}"
> udp_services="{domain}"
> set skip on {lo,$intif}
> block in all
> pass out all
> pass out on $wanif scrub (max-mss 1440)
> match out on $wanif inet from $intnet4 to any nat-to ($wanif)
> pass inet proto ipv6 from any to any
> pass in on $ip6if inet6 proto icmp6 icmp6-type {echoreq,unreach}
> pass in on $ip6if inet6 proto tcp from any to $host port $tcp_services
> pass in on $ip6if inet6 proto udp from any to $host port $tcp_services
>
> Thank you,
> Matt
>
- --
Duncan Lockwood
Principal Network Engineer
The Bunker Secure Hosting Limited
Ash Radar Station
Marshborough Road
Sandwich
Kent CT13 0PL
UNITED KINGDOM
t: 01304 814 800
f: 01304 814 899
e: [email protected]
w: www.thebunker.net
PGP on Key Servers
- ----
This email and any attachments it may contain is confidential and solely
intended for the use of the named addressee(s) only. Any views or
opinions presented are solely those of the author and do not necessarily
represent those of The Bunker. If you are not the intended recipient,
be advised that you have received this email in error and that you
should not rely on it or take any action based on it. You should not
publish, use, disseminate, print, forward or copy this email as it is
strictly prohibited. Please contact the sender if you have received this
email in error and destroy it.
- ----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxCz9AACgkQOZKi9YO9TB6qjwCfbIIH64K4ZcS/tNtUeudsf6fl
xbAAn1xP9blRoKAR8FUy7MVt+gq0xJMC
=Naih
-----END PGP SIGNATURE-----
