Re: Need a PF consultant

[Kristof Provost]

On 21 Jun 2020, at 23:11, David Mehler wrote:
Anyone a pf expert wanting to make some extra money?
I'm in need of consulting, I'm having an issue with my PF
configuration, I've got a much longer message with output and netstat
and all that, if anyone is interested email me privately with rates
and I'll send the details, but in brief I've got FreeBSD 12.1 going,
my provider gives me an IPv6 address, on boot if I ping6 out I get a
UDP connect no route to host message, disable and reenable pf and I
can ping6 out as root, and as a user, for about five minutes, then I
start getting packets are able to be sent out, but nothing comes back.
About five minutes later again as root and as a user I'm getting the
UDP connect no route to host message.

That sounds a lot like you’re dropping router and/or neighbour 
advertisements.

Make sure you’ve got at least the following pass rules:

        # IPv6 link-local traffic
        pass quick inet6 proto icmp6 from :: to ff02::/16
        pass quick inet6 proto icmp6 from fe80::/10 to fe80::/10
        pass quick inet6 proto icmp6 from fe80::/10 to ff02::/16

        # IPv6 Traffic That Must Not Be Dropped (RFC4890 4.3.1)
	pass quick inet6 proto icmp6 from any to any icmp6-type { unreach, 
toobig }
        pass quick inet6 proto icmp6 from any to any icmp6-type timex code 0
	pass quick inet6 proto icmp6 from any to any icmp6-type { paramprob 
code 1, paramprob code 2 }
	pass quick inet6 proto icmp6 from any to any icmp6-type { echoreq, 
echorep }

        # IPv6 Traffic That Normally Should Not Be Dropped (RFC4890 4.3.2)
        pass quick inet6 proto icmp6 from any to any icmp6-type timex code 1
	pass quick inet6 proto icmp6 from any to any icmp6-type paramprob code 
0

        # IPv6 local configuration (ND, DAD, RS, etc...)
	pass quick inet6 proto icmp6 from any to any icmp6-type { routersol, 
routeradv }
	pass quick inet6 proto icmp6 from any to any icmp6-type { neighbrsol, 
neighbradv }
        pass quick inet6 proto icmp6 from any to any icmp6-type { 141, 142 }
	pass quick inet6 proto icmp6 from any to any icmp6-type { listqry, 
listenrep, listendone, 143 }
        pass quick inet6 proto icmp6 from any to any icmp6-type { 148, 149 }
	pass quick inet6 proto icmp6 from any to any icmp6-type { 151, 152, 153 
}

At a guess the routersol/routeradv and neighbrsol/neigbradv are the ones 
you’re running into, but you likely want to allow all of these.

Best regards,
Kristof
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"