PF DHCPv6 address and pf

K

KernelPanic

I am using the KAME DHCP6 client on a FreeBSD 10 server to acquire an IPv6 address and prefix from Comcast. I created a pf rule to allow access to httpd but it does not work:

Code: 
pass in on $EXT inet6 proto tcp from any to ($EXT) port http

It will work if I remove the dynamic address feature:

Code: 
pass in on $EXT inet6 proto tcp from any to $EXT port http

I suspect it is because the dynamic address feature is not picking up the correct inet6 address. (possibly using the local link instead) but I don't know how to prove it. Is there another way to encourage pf to track the leased IPv6 address similar to how it can track the IPv4 lease?
 
With the address tracking enabled on re0:
Code: 
root@server:~ # pfctl -sr | grep http
No ALTQ support in kernel
ALTQ related functions disabled
pass in on re0 inet proto tcp from any to (re0) port = http flags S/SA keep state
pass in on re0 inet6 proto tcp from any to (re0) port = http flags S/SA keep state

Without the address tracking:
Code: 
root@server:~ # pfctl -sr | grep http
No ALTQ support in kernel
ALTQ related functions disabled
pass in on re0 inet6 proto tcp from any to fe80::428d:5cff:fe07:a3e3 port = http flags S/SA keep state
pass in on re0 inet6 proto tcp from any to 2001:xxxx:xxxx:13:3cb4:1c71:5ed3:50f5 port = http flags S/SA keep state
pass in on re0 inet proto tcp from any to (re0) port = http flags S/SA keep state
 
Nice find. It doesn't work within the tracking parenthesis. If I remove the tracking parenthesis pfctl -sr displays only the local-link address. You're probably right about the address-scope problem.
 
I've also noticed while upgrading to 10.2 that dhcp6c does not start until long after pf does. This means the lease IPv6 won't be loaded into the firewall rules at start up.
 
You must log in or register to reply here.
Back
Top