[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Not sure what's happening here?



On Thu, 5 Dec 2002, jolan wrote:
> On Thu, Dec 05, 2002 at 09:21:05PM -0300, Alejandro G. Belluscio wrote:
> > I have a 3.2 release runing as a firewall. I've got an IP tunnel
> > service from www.freenet6.net. So I use gif0 for the tunnel. It didn't
> > worked when I just had the first rule. But then when I added the
> > second it magically pinged. The question is: using inet6 is different
> > to proto 41? Why?
> >
> > block in quick on $ExtIF inet6 from any to any
> > pass in quick on $ExtIF proto 41 from 206.123.31.114 to $ExtIP keep state
>
> The difference is something like this:  proto 41 is ipv6 over ipv4,
> while inet6 is native ipv6.
You can also filter IPv6 traffic on the gif interface. Daniel has a nice
pf.conf example on his website to demonstrate this:
http://www.benzedrine.cx/pf.conf
[snip]
# other protocols (IPv6 tunnel)
pass out on $ext_if inet proto ipv6 from $ext_if to 64.71.128.82 keep state
pass in  on $ext_if inet proto ipv6 from 64.71.128.82 to $ext_if keep state
=============================================================================
# tunnel interface (all external IPv6 traffic)
=============================================================================
# ICMP
pass out on gif0 inet6 proto ipv6-icmp from $ipv6_net to any \
ipv6-icmp-type echoreq keep state
pass in  on gif0 inet6 proto ipv6-icmp from any to $ipv6_net \
ipv6-icmp-type echoreq keep state
# UDP
pass out on gif0 inet6 proto udp from $ipv6_net to any keep state
pass in  on gif0 inet6 proto udp from any to $ipv6_net \
port $services_udp keep state
# TCP
pass out on gif0 inet6 proto tcp from $ipv6_net to any flags S/SA keep
state
pass in  on gif0 inet6 proto tcp from any to $ipv6_net \
port $services_tcp flags S/SA keep state
Cheers,
Dries
-- 
Dries Schellekens
email: [email protected]