On Thu, 5 Dec 2002, jolan wrote: > On Thu, Dec 05, 2002 at 09:21:05PM -0300, Alejandro G. Belluscio wrote: > > I have a 3.2 release runing as a firewall. I've got an IP tunnel > > service from www.freenet6.net. So I use gif0 for the tunnel. It didn't > > worked when I just had the first rule. But then when I added the > > second it magically pinged. The question is: using inet6 is different > > to proto 41? Why? > > > > block in quick on $ExtIF inet6 from any to any > > pass in quick on $ExtIF proto 41 from 206.123.31.114 to $ExtIP keep state > > The difference is something like this: proto 41 is ipv6 over ipv4, > while inet6 is native ipv6.
You can also filter IPv6 traffic on the gif interface. Daniel has a nice pf.conf example on his website to demonstrate this: http://www.benzedrine.cx/pf.conf [snip] # other protocols (IPv6 tunnel) pass out on $ext_if inet proto ipv6 from $ext_if to 64.71.128.82 keep state pass in on $ext_if inet proto ipv6 from 64.71.128.82 to $ext_if keep state ============================================================================= # tunnel interface (all external IPv6 traffic) ============================================================================= # ICMP pass out on gif0 inet6 proto ipv6-icmp from $ipv6_net to any \ ipv6-icmp-type echoreq keep state pass in on gif0 inet6 proto ipv6-icmp from any to $ipv6_net \ ipv6-icmp-type echoreq keep state # UDP pass out on gif0 inet6 proto udp from $ipv6_net to any keep state pass in on gif0 inet6 proto udp from any to $ipv6_net \ port $services_udp keep state # TCP pass out on gif0 inet6 proto tcp from $ipv6_net to any flags S/SA keep state pass in on gif0 inet6 proto tcp from any to $ipv6_net \ port $services_tcp flags S/SA keep state Cheers, Dries -- Dries Schellekens email: [EMAIL PROTECTED]
