Hi,
I use OpenBSD 5.0 with 2 NICs : rl0 and fxp0
rl0 : lan / fxp0 : egress, internet
On the OpenBSD Firewall : i can ping6 ipv6.google.com and 'lynx ipv6.google.com' works.
But on workstations, i can't ping -6 ipv6.google.com and ipv6 website is not reached.
Kernel setup :
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.inet6.ip6.accept_rtadv=0
my pf.conf :
he="66.220.2.74"
heserver="216.xx.xx.xx"
lan="rl0"
set skip on {lo,gif0}
set block-policy drop
match out on egress from $lan:network to any nat-to egress $opt
match in all scrub (no-df max-mss 1440)
block log all
pass in proto ipv6 from $heserver to egress keep state
pass out proto ipv6 from egress to $heserver keep state
pass out on egress inet proto udp
pass out on egress inet proto tcp $opt
pass in on $lan inet6
pass out on egress inet6
pass in on $lan inet proto tcp from $lan:network to port {www,https}
pass in on $lan inet proto udp from $lan:network to port domain
pass out on egress inet proto icmp all icmp-type echoreq
pass in on $lan inet proto icmp all icmp-type echoreq
pass in on egress inet proto icmp from $he to any icmp-type echoreq
Please, can you help me on allowing my hosts to use ipv6 ?
Thank you very much.
???
www.mouedine.net
First question...if you turn the firewall off, can your LAN hosts communicate with the IPv6 world?
Here's what I have in my pf.conf for IPv6:
# External and internal interfaces
ext="xl0"
int="bge0"
# HE tunnel interface
tun="gif0"
# My LAN range
lan="192.168.1.0/24"
# My LAN IPv6 range - my routed /64
lanv6=" 2001:470:x:xx::/64"
# The tunnel endpoint at HE
tunnel="216.66.xx.x"
# I allow SSH to IPv6 hosts
pass in quick log on $tun inet6 proto tcp from any to $lanv6 port ssh modulate state
# Allow the HE tunnel
pass in proto 41 from $tunnel to $ext keep state
pass out proto 41 from $ext to $tunnel keep state
# Allow any IPv6 outbound
pass out on $tun inet6 all keep state
# pass in/out all IPv6 ICMP traffic
pass in quick proto icmp6 all
pass in quick on $ext proto icmp6 all
There's lots of other rules in my firewall definitions, but I think you'll need to add the pass rules for protocol 41 for starters.
Proto 41 = ipv6 services (see /etc/services)
I already have these lines (see first post):
pass in proto ipv6 from $heserver to egress keep state
pass out proto ipv6 from egress to $heserver keep state
Ithink that my problem come from : i deny traffic udp (port 53) inet6 ... need to test it tomorrow.
If someone have any idea... ;-) And thank you very much for your replies.
Wesley.
milo97400, I have the same problem.
Did you find the solution?
Quote from: ngyurov on January 04, 2012, 12:26:10 AM
milo97400, I have the same problem.
Did you find the solution?
Here's what I have in my OpenBSD pf setup. It allows stateful outbound IPv6 and only SSH inbound.
# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext="xl0"
int="bge0"
tun="gif0"
localhost="127.0.0.1"
lan="192.168.1.0/24"
lanv6=" 2001:xxxx:x:xx::/64"
tunnel="216.66.x.x"
# set 'bhlogit' to "log" to log blackhole drops (currently rules 9 and 10)
bhlogit=""
logit="log"
udp_traceroute = "33435:33525"
ok_ssh = "{ 192.168.0.0/16, 65.x.x.253 }"
block_tcp = "{ 23, 445, 135:139, 559, 1024, 1433, 3072, 5900, 5901 }"
block_udp = "{ 80, 443, 135:139, 1024:1026, 1434 }"
# these won't be logged when dropped
drop_tcp_ports = "{ 80, 443, 8080, 16642, 25975, 35048, 36103 }"
drop_udp_ports = "{ echo, 16642, 25975, 35048 }"
table <blackhole> persist file "/etc/blackhole.txt"
table <droplist> persist file "/etc/droplist.txt"
table <ssh-violations> persist file "/etc/ssh-violations.txt"
# Services visible from the outside - remove any you're not using
services = "{ domain }"
# Non-routable IP ranges
nonroutable = "{ 127.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23 }"
# Ignore loopback
set skip on lo0
# Fix fragmented packets
match in all scrub (no-df random-id)
# NAT
# nat: packets going out through xl0 with source addr 192.168.1.0/24
# will get translated as coming from our external address. State is
# created for such packets, and incoming packets will be redirected to
# the internal address.
match out on $ext from $int:network to any nat-to ($ext)
# Packet filtering rules
anchor "ftp-proxy/*"
pass in quick on $int inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
block drop in quick $bhlogit on $ext from <blackhole> to any
block drop in quick $bhlogit on $ext from <droplist> to any
block drop in quick $bhlogit on $ext from <ssh-violations> to any
block out quick $bhlogit on $ext from any to <blackhole>
block out quick $bhlogit on $ext from any to <droplist>
pass quick on lo0 all
#
# This allows IPv6 traffic to flow to the SSH server
#
pass in quick log on $tun inet6 proto tcp from any to $lanv6 port ssh modulate state
# Block unroutable
block drop in quick log on $ext from $nonroutable to any
block drop out quick log on $ext from any to $nonroutable
# Block incoming from the internet
block in log on $ext all
block in on $ext inet proto tcp to any port $drop_tcp_ports
block in on $ext inet proto udp to any port $drop_udp_ports
block return in on $ext inet proto tcp to any port www
block in quick $logit on $ext inet proto tcp to any port $block_tcp
block in quick $logit on $ext inet proto udp to any port $block_udp
#
# Allow the HE tunnel
#
pass in proto 41 from $tunnel to $ext keep state
pass out proto 41 from $ext to $tunnel keep state
# pass in/out all IPv6 ICMP traffic
pass in quick proto icmp6 all
pass in quick on $ext proto icmp6 all
# allow ping
pass in inet proto icmp all icmp-type echoreq code 0 keep state
# Allow traceroute
pass in on $ext inet proto udp to ($ext) port { $udp_traceroute }
# Allow traffic to/from the inside
pass in on $int from $int:network to any keep state allow-opts
pass out on $int from any to $int:network keep state
# Allow incoming services - domain
pass in quick on $ext inet proto tcp from any to any port $services allow-opts
pass in quick inet proto tcp from $ok_ssh to ($ext) port ssh modulate state
pass in quick inet proto tcp from any to ($ext) port ssh \
modulate state(max-src-conn-rate 4/120, \
overload <ssh-violations> flush global)
pass in on $ext inet proto tcp from any to ($ext) port smtp keep state
pass out on $int inet proto tcp from any to any port smtp keep state
# UDP: allow DNS since I run a public nameserver (remove if you don't!)
pass in on $ext inet proto udp from any to ($ext) port domain
pass in on $ext inet proto udp from any to any port 37144
pass out on $ext inet proto tcp from any to any port domain
# Make stateful connections to the internet
pass out on $ext inet proto tcp all modulate state flags S/SA
pass out on $ext inet all keep state
#
# Allow traffic out the tunnel interface
#
pass out on $tun inet6 all keep state
#
# Other NAT rules go here
#
# Anti-spoof
antispoof for { lo0, $int, $ext, $tun }