Hi guys,
This is my third day trying to figure out what the heck is going on with PF IPv6 filter. After some time that I enable PF, the /128 IPv6 addresses becomes unreachable, even with the specific TCP ports allowed. I have a dedicated server with /64 block assigned, but I use /112 blocks on the host and guests. If I try to use
Host configuration files
/etc/rc.conf
/etc/pf.conf
Guest configuration files
/etc/rc.conf
Thank you in advance.
This is my third day trying to figure out what the heck is going on with PF IPv6 filter. After some time that I enable PF, the /128 IPv6 addresses becomes unreachable, even with the specific TCP ports allowed. I have a dedicated server with /64 block assigned, but I use /112 blocks on the host and guests. If I try to use
curl to connect in guest IPv6 address, it doesn't work, but IPv4 still accepting connection normally. This is kind odd, because pfctl doesn't even show the state of the IPv6 address when the problem occours, and the /112 addresses keep working. I'm doing something wrong?Host configuration files
/etc/rc.conf
Code:
ipv6_activate_all_interfaces="YES"
ipv6_default_interface="igb0"
ifconfig_igb0="inet X.X.X.132 netmask 255.255.255.0"
ifconfig_igb0_ipv6="inet6 accept_rtadv XXXX:XXXX:XXX:XXXX::1 prefixlen 112"
ifconfig_igb0_alias0="inet X.X.X.66 netmask 255.255.255.255"
ifconfig_igb0_alias1="inet6 XXXX:XXXX:XXX:XXXX::80 prefixlen 128"
defaultrouter="X.X.X.254"
ipv6_static_routes="ovh"
ipv6_route_ovh="-host XXXX:XXXX:XXX:XXXX:ff:ff:ff:ff -iface igb0"
ipv6_defaultrouter="XXXX:XXXX:XXX:XXXX:ff:ff:ff:ff"
cloned_interfaces="bridge0 tap0"
ifconfig_bridge0="addm igb0 addm tap0"
Code:
ext_if = "igb0"
table <host> const { X.X.X.132, XXXX:XXXX:XXX:XXXX::1 }
table <guest> const { X.X.X.121, XXXX:XXXX:XXX:XXXX::1:1 }
table <blacklist> persist file "/etc/pf.blacklist"
table <bruteforce> persist
set skip on lo0
scrub in all fragment reassemble max-mss 1440
#antispoof quick for $ext_if
block in quick on $ext_if from { <blacklist>, <bruteforce> } to any
block in on $ext_if
pass in on $ext_if proto tcp to { <host>, <guest> } port 2022 \
keep state (max-src-conn 10, max-src-conn-rate 4/60, \
overload <bruteforce> flush global)
pass in on $ext_if proto tcp to { <host>, <guest> } port { 990, 10000:10100 }
pass in on $ext_if proto tcp to port { 80, 443 }
pass in on $ext_if proto icmp to { <host>, <guest> }
pass in on $ext_if proto icmp6 to { <host>, <guest> }
pass out allGuest configuration files
/etc/rc.conf
Code:
ipv6_activate_all_interfaces="YES"
ipv6_default_interface="vtnet0"
ifconfig_vtnet0="inet X.X.X.121 netmask 255.255.255.255"
ifconfig_vtnet0_alias0="inet X.X.X.67 netmask 255.255.255.255"
ifconfig_vtnet0_ipv6="inet6 accept_rtadv XXXX:XXXX:XXX:XXXX::1:1 prefixlen 112"
ifconfig_vtnet0_alias1="inet6 XXXX:XXXX:XXX:XXXX::1:80 prefixlen 128"
static_routes="ovh"
route_ovh="-net X.X.X.254 -iface vtnet0"
defaultrouter="X.X.X.254"
ipv6_static_routes="ovh"
ipv6_route_ovh="-host XXXX:XXXX:XXX:XXXX:ff:ff:ff:ff -iface vtnet0"
ipv6_defaultrouter="XXXX:XXXX:XXX:XXXX:ff:ff:ff:ff"Thank you in advance.