PF PF x IPv6 TCP ports

Hi guys,

I recently implemented IPv6 stack on my AWS EC2 Machine.
After a long time, dual stack is working...

But only with PF disabled.

With just "pass all" rule, everything from Layer 3 and Layer 4 works (IPv4, IPv6, TCP ports, ICMP, ICMP6)

But with these simple general rules (for testing purposes), no external clients can access my webserver using IPv6, only IPv4:
Code:
tcp_services_in="{ 22, 80 }"
block all
pass out all keep state
pass in proto icmp
pass in proto icmp6
pass in proto tcp to port $tcp_services_in flags S/SA keep state

So, the question is, "proto tcp" includes all IPv4 and IPv6, right? Or is there an implicitly "IPv4 default stack"?

I tried "pass in inet6 proto...", but don't worked as I expected.
But without PF (or just "pass all" rule), everything works (ICMP e TCP ports) over IPv6.

This is the first time I work with IPv6 stack.

Thanks all
 
Just an update...

Its so strange. When I change "pass all" to rules I posted before, IPv6 traffic works for 2 or 3 minutes, after is blocked.
 
Code:
pass in proto tcp to port $tcp_services_in flags S/SA keep state
This only allows IPv4 (rule defaults to inet). And you don't need the flags S/SA keep state, they're implied.
Code:
pass in inet6 proto tcp to port $tcp_services_in

In order to allow both IPv4 and IPv6 you need 2 rules. One allowing IPv4 and one allowing IPv6.
 
Thanks SirDice,
But I already tried booth rules "pass in inet" and "pass in inet6".
But only IPv4 traffic works (for TCP ports and ICMP). IPv6 is stopped in some minutes after reload rules (it is so strange too).

Using tcpdump on interface to test ICMP6, I received ICMP request, but I'm not returning ICMP reply.
I don't know if PF is blocking ICMP request, or if PF is blocking ICMP reply to sender.

The "block log all" rule is not logging anything relevant to this in /var/log/pflog (pflog_enable="YES" in rc.conf)

I don't know if this matter, but I'm using net/dual-dhclient.

Tonight, I will try to tcpdump and catch the exactly time IPv6 traffic stops and what packet was sent before IPv6 goes down after enabling PF. Because I suspect that some packet (probably sent periodically) is blocked, and after this, IPv6 traffic is stopped.
But if you have any suggestions, it will always welcome.
 
Guys, I found the solution. It was solved!

tcpdumping interface, I saw that before IPv6 stops, it was sending packets via UDP:546 (dhcp-client).
I put the rule below, and after some minutes, it worked:

Code:
udp6_services="{ 53, 123, 546, 1194}"
pass in quick on ena0 inet6 proto udp from any to any port $udp6_services keep state

Without this rule, the IPv6 connectivity fell after some minutes.

But I don't understand why this rule was necessary.
My last rule was "pass out"; that is, all outgoing traffic was allowed. So, why UDP was being blocked?
Or this rule "pass out" is implicit TCP-only?
 
Last edited by a moderator:
Back
Top