pf problems with ipv6

[fabtax]

Hello,

I'm running a FreeBSD 9.1-RELEASE server that acts as an IPv4 gateway. My French ISP allows me to get an IPv6 address (6RD) so I wanted my server to become an IPv6 client.

So I add in rc.conf:

ifconfig_nfe0_ipv6="inet6 accept_rtadv"

and I get a proper IPv6 address without problems. I also changed my packet filter rules to allow IPv6 traffic inbound and outbound.

Problem: only ping6 works.

I tried a wget -6 ipv6.google.com but a connection timeout occurred.

Here are my pf rules:

##VARS##
#IFACES
if_net="nfe0"
if_lan="em0"
if_wi="em1"
tap_vpn="tap0"
bridge_vpn="bridge0"

#SERVICES
net_tcp_services="{ smtp, http, https, imap, imaps, 9101, 8081, 1194, 631, 31000, 6881:6889, 24300, 60000:65535 }"
net_udp_services="{ 1194 }"

#TABLES
table <lan> { 192.168.0.0/24 }
table <lan_wifi> { 192.168.1.0/24 }
table <lan_vpn> { 192.168.2.0/24 }
table <bruteforce> persist

#HOSTS
workstation="192.168.0.1"
freeplayer="212.27.38.253"

#OPTIONS
set loginterface nfe0
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set skip on lo0

#NORMALISATION
scrub out all random-id
scrub all reassemble tcp

#NAT
nat on $if_net from <lan> to !<lan>  -> ($if_net)
nat on $if_net from <lan_wifi> to !<lan_wifi> -> ($if_net)

#WORSTATION
rdr on $if_net proto udp  from $freeplayer to $if_net port 1500 -> $workstation port 1500

#DEFAULT POLICY
block log all
block quick from <bruteforce>

#NMAP SCANS
block in log quick on $if_net inet proto tcp from any to any flags FUP/FUP

#ANTISPOOF
antispoof for $if_net

#LAN TRAFFIC
pass quick on $if_lan

#IPV4 AND IPV6 WAN OUTGOING TRAFFIC
pass out quick on $if_net proto tcp all modulate state flags S/SA
pass out quick on $if_net proto { udp, icmp, icmp6 } all keep state

#IPV6 STUFF
pass in on $if_net inet6 proto icmp6 all icmp6-type {routeradv, routersol, neighbradv, neighbrsol}

#SERVICES ALLOWED FROM INTERNET
pass in on $if_net proto { tcp, udp } from $freeplayer to any

pass in on $if_net proto tcp from any to $if_net port ftp flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 5/150, overload <bruteforce> flush global)

pass in on $if_net proto tcp from any to $if_net port 22 flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 2/30, overload <bruteforce> flush global)

pass in on $if_net proto tcp from any to $if_net port $net_tcp_services
pass in on $if_net proto udp from any to $if_net port $net_udp_services

#OPENVPN TRAFFIC
pass on $bridge_vpn from <lan_vpn> to any

I tried to check my rules with a tcpdump -n -e -ttt -i pflog0 without success.

But if I disable pf via pfctl -d the wget -6 command works.

My rules are wrong but I don't know how to correct it.

 

[kpa]

Don't use reassemble tcp with IPv6, it's known to be broken. In fact any kind of address translation is broken on pf(4) and IPv6 at the moment. Use fragment reassemble for IPv6 traffic.

 

[gkontos]

Even with this ruleset you should be able to successfully:

[CMD=""]> ping6 2001:4860:4860::8888[/CMD]

Change this:

pass out quick on $if_net proto tcp all modulate state flags S/SA

to this:

pass out quick on $if_net proto tcp all

@kpa,
why do you say that NAT is broken?

 

[fabtax]

Thank you for your advise.
I'm going to test this tonight.

But the strange thing: it was working before without changing any rules.
The only thing i do is a make buildkernel/install and make buildworld/installworld from 9.0-p4 to 9.1-RELEASE.

 

[SirDice]

This:

#IPV4 AND IPV6 WAN OUTGOING TRAFFIC
pass out quick on $if_net proto tcp all modulate state flags S/SA
pass out quick on $if_net proto { udp, icmp, icmp6 } all keep state

Only allows IPv4, not IPv6.

If there's no inet or inet6 in a rule it will default to inet (IPv4).

 

[fabtax]

Yup!

a pfctcl -sr confirm that !
So just need to a rule with inet6 for allowing outgoing ipv6 traffic from my $if_net

Thanks for your help!