Hello Dries, Friday, December 06, 2002, 7:07:02 AM, you wrote: >> > block in quick on $ExtIF inet6 from any to any >> > pass in quick on $ExtIF proto 41 from 206.123.31.114 to $ExtIP keep state >> >> The difference is something like this: proto 41 is ipv6 over ipv4, >> while inet6 is native ipv6. >> DS> You can also filter IPv6 traffic on the gif interface. Daniel has a nice DS> pf.conf example on his website to demonstrate this: DS> http://www.benzedrine.cx/pf.conf
I know and that's my intention. Just like IPSec. You have to allow AH and ESP throu your external interface and filter on the tun0. I've been diggin my "Unix Network Programming" and now I see that the version (4 or 6) is in the first 4 bits of a packet. And the Protocol is the tenth byte of the header on IPv4 while it's the seventh on IPv6. So yep, I'm not a allowing IPv6 packets comming on the $ExtIF (since I use the tunnel this is reasonable). But do allow the tunneled packets. Which I later filter on the gif0, of course. Best Regards, Alejandro Belluscio
