Hey all,
I have setup a IPv6 tunnel. With my firwewall down, ping6 has no troubles
getting through. However, when I put up my firewall, the ping6's start
getting blocked. I have looked around at different how-tos and docs, and
can't seem to find my answer. No matter what rule I add to my pf.conf, it
get's ignored, and immediately blocked by my 'block all from any to any"
rule. Here is the rule I added:
## IPv6 Stuff
pass in quick on $ext inet6 proto ipv6-icmp all icmp6-type { 134, 135, 136, 128, 129 }
Here is what pfctl -sr shows:
scrub in on fxp0 all fragment reassemble
scrub out on fxp0 all random-id fragment reassemble
block drop in log quick on fxp0 from <fuckers> to any
pass in log quick on fxp0 inet proto tcp from <ftp> to any port = ftp
flags S/SA keep state
pass in log quick on fxp0 inet proto tcp from <ftp> to any port 49152 ><
65535 keep state
pass in log quick on fxp0 inet proto tcp from <agssh> to 10.1.1.237 port =
ssh flags S/SA keep state queue(ext_ssh_def, ext_ssh_pri)
pass in log quick on fxp0 inet proto tcp from <jssh> to 10.1.1.239 port =
ssh flags S/SA keep state queue(ext_ssh_def, ext_ssh_pri)
pass in log quick on fxp0 inet proto tcp from <gwssh> to (fxp0) port = ssh
flags S/SA keep state queue(ext_ssh_def, ext_ssh_pri)
pass out quick on lo0 all
pass in quick on lo0 all
pass in quick on fxp0 inet6 proto ipv6-icmp all icmp6-type routeradv
pass in quick on fxp0 inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass in quick on fxp0 inet6 proto ipv6-icmp all icmp6-type neighbradv
pass in quick on fxp0 inet6 proto ipv6-icmp all icmp6-type echoreq
pass in quick on fxp0 inet6 proto ipv6-icmp all icmp6-type echorep
block drop in log quick on fxp0 inet proto tcp from any to any port =
epmap
block drop in log quick on fxp0 inet proto tcp from any to any port =
krb524
block drop in log quick on fxp1 inet proto tcp from 10.1.1.0/24 to any
port = epmap
block drop in log quick on fxp1 inet proto tcp from 10.1.1.0/24 to any
port = krb524
block drop in log on fxp0 all
block return-rst in log on fxp0 inet proto tcp all
block return-icmp(port-unr) in log on fxp0 inet proto udp all
pass in log quick on fxp0 inet proto tcp from any to 10.1.1.35 port = 3389
flags S/SA keep state queue(ext_def, ext_pri)
pass in log quick on fxp0 inet proto tcp from $workip to 10.1.1.37 port =
5900 flags S/SA keep state queue(ext_def, ext_pri)
pass in log quick on fxp0 inet proto tcp from $anotherbox
pass in log quick on fxp0 inet proto tcp from any to 10.1.1.237 port =
smtp flags S/SA keep state queue(ext_def, ext_pri)
pass in log quick on fxp0 inet proto tcp from $workip to 10.1.1.239 port =
ssh queue(ext_ssh_def, ext_ssh_pri)
pass in log quick on fxp0 inet proto tcp from any to 10.1.1.239 port = www
queue(ext_def, ext_pri)
pass out on fxp0 inet proto tcp from (fxp0) to any flags S/SA keep state
queue(ext_def, ext_pri)
pass out on fxp0 inet proto udp from (fxp0) to any keep state
pass out on fxp0 inet proto icmp from (fxp0) to any keep state
Yet when I ping myself from outside, I'm getting blocked:
Sep 17 15:42:32.257616 rule 17/0(match): block in on fxp0:
2001:730:11::2:10 > 2001:730:11::1:: icmp6: echo request (encap)
Sep 17 15:42:33.265268 rule 17/0(match): block in on fxp0:
2001:730:11::2:10 > 2001:730:11::1:: icmp6: echo request (encap)
Sep 17 15:42:34.255380 rule 17/0(match): block in on fxp0:
2001:730:11::2:10 > 2001:730:11::1:: icmp6: echo request (encap)
Sep 17 15:42:35.258714 rule 17/0(match): block in on fxp0:
2001:730:11::2:10 > 2001:730:11::1:: icmp6: echo request (encap)
Sep 17 15:42:36.255759 rule 17/0(match): block in on fxp0:
2001:730:11::2:10 > 2001:730:11::1:: icmp6: echo request (encap)
(I changed the 2001:730:11::1:: address so noone hax0rs me ;)
What am I missing here? I will send my full pf.conf to anyone who's
interested in it. Didn't want to paste the whole thing here though.
TIA for any response!
