On 2014-07-09 17:30, Ermal Luçi wrote:
On Wed, Jul 9, 2014 at 2:42 PM, Mark Martinec
<mark.martinec+free...@ijs.si> wrote:
On 2014-07-09 0:32, Kristian K. Nielsen wrote:
f) IPv6 support?- it seem to be more and more challenged in the
current
version of pf in FreeBSD and I am (as well as others)
introducing more
and more IPv6 in networks.
E.x. Bugs #179392, #172648, #130381, #127920 and more seriously
#124933,
which is the bug on not handling IPv6 fragments which have been open
since 2008 and where the workaround is necessity to leave an
open hole
in your firewall ruleset to allow all fragments. Occoring to
comment in
the bug, this have been long gone in OpenBSD.
The neglect of IPv6 in FreeBSD's pf is a real deal-breaker for us.
Besides the long-standing bugs (like: scrub reassemble tcp
breaks CRC on IPv6), the following stands out:
Can you be a bit more verbose on this one?
http://www.freebsd.org/cgi/query-pr.cgi?pr=172648
- last time I looked, neither PF nor IPFW could be used on a
FreeBSD kernel built WITHOUT_INET. This means that features
like ssh-guard and per-application protection on a dedicated
IPv6-only host are not available
I am not sure on the version in FreeBSD 10 but on FreeBSD 9 and before
it should be possible to compile without INET afair!
Which version of FreeBSD are you testing this on?
It compiles just fine, but can't be loaded or run.
If memory serves, pf kernel module loads fine but pfctl fails,
and the ipfw kernel module can't be loaded at all. Will need
to re-run this experiment to make sure, and will report back.
Mark
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
