-
July 26th, 2006, 04:01 PM
#1
FreeBSD, PF and IPv6
Anybody familiar with FreeBSD, PF and IPv6?
I've got IPv6 setup properly. No problems there. All my machines have a global IPv6 address.
My firewall has 2 nics. One connected to the Internet, the other to my lan. Pf.conf looks like this:
Code:
ext_if="rl0"
int_if="rl1"
block in on $ext_if inet6 from any to any
If I load this rule I'm still able to access my 'internal' machines using their global IPv6 address
WTF? PF supports IPv6 right? What am I doing wrong?
BTW the IPv4 rules on the firewall work as they should. No problems there.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
July 26th, 2006, 05:03 PM
#2
Hi
From your description, I understand that your "firewall"-box
does route the IPv6-traffic.
Two questions to help to track down the problem - I apologise if
these are too obvious:
1. Does pf actually filter the IPv6 traffic? What happens if
you block all IPv6 (and perhaps the IPv4)?
Code:
block all
block quick inet6 all
2. if so what about logging what it does? E.g. specifically for
tcp? (or just remove "proto tcp")
Code:
block in log all
block in log on $ext_if inet6 proto tcp from any to any
Cheers
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
July 27th, 2006, 08:04 AM
#3
Well, it turns out to be bloody obvious. Why didn't I see it
I have a tunnelbroker gif0 where the IPv6 traffic is actually coming in.. I need to firewall that interface and not the ethernet interface.. Doh!
Thanks for the help sec_ware
Oliver's Law:
Experience is something you don't get until just after you need it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|