Hello,
I'm having some problems dealing with IPv6 and the PacketFilter firewall. As refered on the FreeBSD's Handbook, the current pf version is from OpenBSD 4.1. I want to make sure that there's no syntax mistake in my pf.conf before reporting a bug.
PF doesn't seem to track the outgoing connections, whether UDP,TCP or ICMPv6.
Here's an extract of my pf.conf:
My logs after a simple [CMD="wget -6 ipv6.google.com"][/CMD]:
The matched rules:
I also attach my full pf.conf
Maybe some of you guys can share some light on this.�jr
Thanks!
I'm having some problems dealing with IPv6 and the PacketFilter firewall. As refered on the FreeBSD's Handbook, the current pf version is from OpenBSD 4.1. I want to make sure that there's no syntax mistake in my pf.conf before reporting a bug.
PF doesn't seem to track the outgoing connections, whether UDP,TCP or ICMPv6.
Here's an extract of my pf.conf:
Code:
icmp6_types_in = "{ echoreq, unreach, neighbradv, routeradv }"
icmp6_types_out = "{ echoreq, unreach, neighbrsol, routersol }"
tcp_services = "{ ssh, imap, imaps, smtps, smtp, telnet, http, https, ftp, ftp-data, auth, ntp }"
udp_services = "{ domain, sip, ntp }"
########### IPv6 rules ############
block in log inet6 label "REJECTED IPv6"
# Allow outgoing services
pass out log on $ext_if inet6 proto tcp to any port $tcp_services keep state label "TCP-OUT IPv6"
pass out log on $ext_if inet6 proto udp to any port $udp_services keep state label "UDP-OUT IPv6"
# Trace route out
pass out on $ext_if inet6 proto udp from any to any port 33433 >< 33626
# Ftp out
pass out on $ext_if inet6 proto tcp from any to any port ftp
pass out on $ext_if inet6 proto tcp from any to any port >1023
# ICMPv6
pass out on $ext_if inet6 proto icmp6 all icmp6-type $icmp6_types_out
pass in on $ext_if inet6 proto icmp6 all icmp6-type $icmp6_types_inMy logs after a simple [CMD="wget -6 ipv6.google.com"][/CMD]:
Code:
# tcpdump -nettti pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
00:00:00.000000 rule 0/0(match): block in on wlan0: 192.168.0.1 > 192.168.0.101: [|ospf2]
00:00:10.001714 rule 0/0(match): block in on wlan0: 192.168.0.1 > 192.168.0.101: [|ospf2]
00:00:08.468249 rule 0/0(match): block in on wlan0: 192.168.0.1.520 > 224.0.0.9.520: RIPv2, Response, length: 84
00:00:01.530189 rule 0/0(match): block in on wlan0: 192.168.0.1 > 192.168.0.101: [|ospf2]
00:00:10.000283 rule 0/0(match): block in on wlan0: 192.168.0.1 > 192.168.0.101: [|ospf2]
00:00:09.999993 rule 0/0(match): block in on wlan0: 192.168.0.1 > 192.168.0.101: [|ospf2]
00:00:01.392122 rule 0/0(match): block in on wlan0: 192.168.0.10 > 224.0.0.1: igmp query v2
[B][color="Red"]00:00:00.853952 rule 49/0(match): pass out on wlan0: [|ip6][/color][/B]
[color="Red"][B]00:00:00.209060 rule 30/0(match): block in on wlan0: [|ip6]
00:00:01.037121 rule 30/0(match): block in on wlan0: [|ip6][/B][/color]
00:00:00.778352 rule 0/0(match): block in on wlan0: 192.168.0.1.520 > 224.0.0.9.520: RIPv2, Response, length: 84
00:00:00.341648 rule 30/0(match): block in on wlan0: [|ip6]
00:00:04.036058 rule 30/0(match): block in on wlan0: [|ip6]
00:00:01.028135 rule 30/0(match): block in on wlan0: [|ip6]The matched rules:
Code:
...
block drop in log inet6 all label "REJECTED IPv6"
[ [B][color="Red"]Evaluations: 37 Packets: 21[/color][/B] Bytes: 1512 States: 0 ]
[ Inserted: uid 0 pid 10568 ]
...
pass out log on wlan0 inet6 proto tcp from any to any port = http flags S/SA keep state label "TCP-OUT IPv6"
[ [B][color="Red"]Evaluations: 1 Packets: 7[/color][/B] Bytes: 512 States: 1 ]
[ Inserted: uid 0 pid 10568 ]
...I also attach my full pf.conf
Maybe some of you guys can share some light on this.�jr
Thanks!
