On Sun, Feb 08, 2004 at 07:27:24PM -0000, [EMAIL PROTECTED] wrote:
> is a possible to show state over IPv6 by pfctl ?
It does, by default. For instance,
$ pfctl -ss
gif0 tcp 2001:470:1f00:ffff::475[29679] -> 3ffe:4017:1:116:250:daff:fe41:628f[25]
ESTABLISHED:ESTABLISHED
> % sudo pfctl -ss
> (showing only state of IPv4)
That means there are no state entries for IPv6 connections.
> % netstat -an
> (...)
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q Local Address Foreign Address (state)
> tcp6 0 0 2002:c0a8:9001::.22 2002:c0a8:9002::.25484
> ESTABLISHED
And that means you're passing IPv6 connections without creating state.
Check your ruleset, are there any 'pass' rules without 'keep state',
especially for IPv6 (or without any inet/inet6 option)?
Daniel
