[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: Not sure what's happening here?

Hello Dries,
Friday, December 06, 2002, 7:07:02 AM, you wrote:
>> > block in quick on $ExtIF inet6 from any to any
>> > pass in quick on $ExtIF proto 41 from to $ExtIP keep state
>> The difference is something like this:  proto 41 is ipv6 over ipv4,
>> while inet6 is native ipv6.
DS> You can also filter IPv6 traffic on the gif interface. Daniel has a nice
DS> pf.conf example on his website to demonstrate this:
DS> http://www.benzedrine.cx/pf.conf
I know and that's my intention. Just like IPSec. You have to allow AH
and ESP throu your external interface and filter on the tun0. I've
been diggin my "Unix Network Programming" and now I see that the
version (4 or 6) is in the first 4 bits of a packet. And the Protocol
is the tenth byte of the header on IPv4 while it's the seventh on
IPv6. So yep, I'm not a allowing IPv6 packets comming on the $ExtIF
(since I use the tunnel this is reasonable). But do allow the tunneled
packets. Which I later filter on the gif0, of course.
Best Regards,
Alejandro Belluscio