pf and ipv6

myha

myha

Hi,

need some help with settign the correct rules in pf to alow web traffic...

Here is the rule that I use now:
Code: 
pass in log quick on bce0 inet6 proto tcp from any to $myip6 port 80
I have also tried
Code: 
pass in log quick on bce0 proto ipv6
which should permit all ipv6 traffic, but still none goes through...?

Heis is what tcpdump shows (tcpdump -n -e -ttt -i pflog):
Code: 
00:00:00.546047 rule 0/0(match): block in on bce0: [|ip6]

and pfctl rules:
Code: 
# pfctl -sr | grep  inet6
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on ! bce0 inet6 from 2a02:840:1:200::/64 to any
block drop in quick on bce0 inet6 from fe80::21c:c4ff:fe78:ec46 to any
block drop in quick inet6 from 2a02:840:1:200::2 to any
pass in log quick on bce0 inet6 proto tcp from any to 2a02:840:1:200::2 port = http flags S/SA keep state

any ideas?
 
What is your very first block rule (i.e. 0/0)? And have you tried this rule
Code: 
pass in log quick on bce0 proto ipv6
without any other block rules, and a skip on other interfaces? Also try adding the 'log' statement only to the block rules (or one at the time) and running tcpdump on pflog0.
 
Heis is what tcpdump shows (tcpdump -n -e -ttt -i pflog):
Code: 
00:00:00.546047 rule 0/0(match): block in on bce0: [|ip6]
Click to expand...
This is blocked ip6 traffic, but tcpdump has truncated it. The indicator for truncated packets is "|ip6".

Increase the tcpdump snap to "-s1600" or something like that.
You also have to tell pflogd to increase this snap or capture length.See the pflogd man page.There is also a rc.conf variable to init the flags or options for pflogd.

Try with a simple ruleset like this
Code: 
EXT=bce0

# allow everything on loopback
set skip on lo0

# default policy to block all traffic both IPv4 and IPv6
block log all

# now we only have to allow IPv6 traffic to webserver
pass in log quick on $EXT inet6 proto tcp from any to $myip6 port 
80

# let webserver do outgoing DNS lookups (both IPv4 and 6)
# pass out log quick on $EXT proto "{udp tcp}" from $EXT to any port 53
A default policy of block log all makes it so much easier to write pf.conf rules. You just add rules to pass the traffic you want to allow in/out.
The default block policy will block everything you did not specifically allow.
 
well, I must have f***ed something up after all different versions of rules :) It is ok now, with the same set of rules... Thanks anyay!
Code: 
00:00:00.000000 rule 18/0(match): pass in on bce0: [|ip6]
log statement was there for troubleshooting purposes.
 
Add -s 0 to tcpdump to see full packets. I find [cmd=]tcpdump -s 0 -pnli <interface>[/cmd] a more pleasant command myself, but that's personal.

Note: if you reload pf.conf many times and keep adding and deleting rules, pf can get confused and behave erratically. If what you see doesn't match what you expect (obvious human error aside), restart pf ([cmd=]/etc/rc.d/pf restart[/cmd]) and try again.
 
J65nko said:
Increase the tcpdump snap to "-s1600" or something like that.
Click to expand...
thanks for this, never thought that because of display size the output is omitted... Looks better now:
Code: 
00:00:02.880838 rule 18/0(match): pass in on bce0: 2a02:840:beef:1d::2.42214 > 2a02:840:1:200::2.80: Flags [S], seq 436018819, win 48240, 
options [mss 1340,TS val 3505202642 ecr 0,wscale 0,sackOK,eol], length 0
 
( there was some ranting here about the binary pflog not honouring snaplength when set in pflog_flags in rc.conf, but that appears to have been resolved )
 
You must log in or register to reply here.
Back
Top