Hello,
as far as I can tell I've used this set of rules for months if not years on my FreeBSD server:
Now today I reinstall the server with these same rules. I also upgraded the server with FreeBSD 12.3 (I've only been using FreeBSD 11 so far) but I doubt it's related.
Do you have any clue why these rules prevent IPV6 connectivity?
I say they do because when I have these rules I can't do
it hangs forever.
But
works.
When I flush the rules, both work. So it's a problem with the rules but what is it?
I'm adding my /etc/rc.conf here:
Any help would be greatly appreciated.
as far as I can tell I've used this set of rules for months if not years on my FreeBSD server:
Code:
tcp_internet_out="{53, 80, 443, 123, 11371}"
udp_internet_out="{53}"
ext_if=em0
set skip on lo0
block in log (all)
block out log (all)
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 1111 # custom ssh port
pass out quick on $ext_if inet proto tcp from ($ext_if) to any port $tcp_internet_out
pass out quick on $ext_if inet6 proto tcp from ($ext_if) to any port $tcp_internet_out
pass out quick on $ext_if inet proto udp from ($ext_if) to any port $udp_internet_out
pass out quick on $ext_if inet6 proto udp from ($ext_if) to any port $udp_internet_out
pass in quick on $ext_if inet proto icmp from any to ($ext_if) icmp-type echoreq
## allow icmp6 for getting address using IPv6 autoconfiguration from router
pass inet6 proto ipv6-icmp all icmp6-type routeradv
pass inet6 proto ipv6-icmp all icmp6-type routersol
## allow icmp6 for getting neighbor addressespass inet6 proto ipv6-icmp all icmp6-type neighbradv
pass inet6 proto ipv6-icmp all icmp6-type neighbrsol
## allow icmp6 echo, not required, but sometimes nice
pass in inet6 proto ipv6-icmp all icmp6-type echoreq
## pass icmp-types: unreachable, time exceeded, parameter problem
pass in inet6 proto ipv6-icmp all icmp6-type {1 3 4}
Now today I reinstall the server with these same rules. I also upgraded the server with FreeBSD 12.3 (I've only been using FreeBSD 11 so far) but I doubt it's related.
Do you have any clue why these rules prevent IPV6 connectivity?
I say they do because when I have these rules I can't do
Code:
pkg search python
But
Code:
pkg -4 search python
When I flush the rules, both work. So it's a problem with the rules but what is it?
I'm adding my /etc/rc.conf here:
Code:
zfs_enable="YES"
### Added by OVH - block start
# Network configuration (IPv4)
ifconfig_em0="inet xxx.xxx.xxx.xxx netmask 255.255.255.0 broadcast xxx.xxx.xxx.255"
defaultrouter="xxx.xxx.xxx.xxx"
# Network configuration (IPv6)
ifconfig_em0_ipv6="inet6 2001:41d0:xxxx:xxxx::1 prefixlen 128 accept_rtadv no_radr"
ipv6_network_interfaces="em0"
ipv6_default_interface="em0"
ipv6_defaultrouter="2001:41d0:xxxx:xxxx:xx:xx:xx:xx"
ipv6_route_ovhgw="2001:41d0:xxxx:xxxx:xx:xx:xx:xx -prefixlen 128 -interface em0"
ipv6_static_routes="ovhgw"
# Various options
dumpdev="AUTO"
clear_tmp_enable="YES"
accounting_enable="YES"
# Daemons
ntpd_enable="YES"
sshd_enable="YES"
local_unbound_enable="YES"
### Added by OVH - block end
hostname="xxxxxxxxxxxxxxxxx"
pf_enable="YES"
pflog_enable="YES"
pf_rules="/etc/pf.conf"
Any help would be greatly appreciated.