On Wed, Dec 04, 2002 at 08:34:56AM -0300, Alejandro G. Belluscio wrote: > When I try to configure a rule: > block in quick on $IntIF inet6 from ! $IntIF/64 to any > I get an error message: > /etc/pf.conf:115: illegal netmask value /64
Can you show the output of ifconfig $IntIF, I assume you have both IPv4 and IPv6 addresses assigned to it? Looks like a bug where the /64 netmask is applied to an IPv4 address of the interface, though I can't reproduce it with -current. Using '!' on something that potentially expands to a list of addresses is problematic, as you can easily generate the infamous 'negated list', which makes the rule apply to all packets. I personally would use the single IPv6 address, literally, there: block in quick on $IntIF inet6 from ! 2001:470:1f00:670::/64 > Does this comes from the fact that the interface can have multiple > addresses there's no way to have one natural address. So do I have > to specify the IP6? As long as the interface has only a single IPv6 address assigned, it should work. When there are several addresses, it's wiser to explicitely use '! addr/mask' instead of '! if/mask', as the latter expands to rules that would match any packets. If you don't know what I mean, try and run it through pfctl -nvf, you'll see :) > Is there any documentation on how to do > firewalling in IPv6? > Because I've been trying and I really couldn't find. An example rule set that filters IPv6 on gif0 is on http://www.benzedrine.cx/pf.conf and there are plenty of examples linked to from the bottom of http://www.benzedrine.cx/pf.html Daniel
