Hi folks,
pf.conf on my gateway (6.1) says
bash-4.4# pfctl -sr | egrep -i icmp\|block
block return log all
:
:
pass quick inet proto icmp all keep state (if-bound)
pass quick inet6 proto ipv6-icmp all keep state (if-bound)
Problem is, a ping6 to the gateway's link local address is not
answered. The pflog file reveals
15:11:35.491878 rule 0/(match) [uid 0, pid 14639] block out on re1: [uid
4294967295, pid 100000] ::1 > fe80::f66d:4ff:fe73:ab4e: icmp6: echo reply
(id:7445 seq:1) (len 64, hlim 64)
15:11:36.520792 rule 0/(match) [uid 0, pid 14639] block out on re1: [uid
4294967295, pid 100000] ::1 > fe80::f66d:4ff:fe73:ab4e: icmp6: echo reply
(id:7445 seq:2) (len 64, hlim 64)
15:11:37.544670 rule 0/(match) [uid 0, pid 14639] block out on re1: [uid
4294967295, pid 100000] ::1 > fe80::f66d:4ff:fe73:ab4e: icmp6: echo reply
(id:7445 seq:3) (len 64, hlim 64)
Please note the "::1". This address is not bound to re1. If I
disable the firewall(!), or if I use
pass quick inet6 proto ipv6-icmp all no state
then the icmp6 echo reply can pass:
bash-4.4# tcpdump -i re1 -env icmp6
tcpdump: listening on re1, link-type EN10MB
15:13:36.328563 f4:6d:04:73:ab:4e 80:ee:73:95:c1:0d 86dd 118:
fe80::f66d:4ff:fe73:ab4e > fe80::82ee:73ff:fe95:c10d: icmp6: echo request
(id:74c1 seq:30) [flowlabel 0x47412] (len 64, hlim 255)
15:13:36.328689 80:ee:73:95:c1:0d f4:6d:04:73:ab:4e 86dd 118: ::1 >
fe80::f66d:4ff:fe73:ab4e: icmp6: echo reply (id:74c1 seq:30) (len 64, hlim 64)
15:13:37.352729 f4:6d:04:73:ab:4e 80:ee:73:95:c1:0d 86dd 118:
fe80::f66d:4ff:fe73:ab4e > fe80::82ee:73ff:fe95:c10d: icmp6: echo request
(id:74c1 seq:31) [flowlabel 0x47412] (len 64, hlim 255)
15:13:37.352845 80:ee:73:95:c1:0d f4:6d:04:73:ab:4e 86dd 118: ::1 >
fe80::f66d:4ff:fe73:ab4e: icmp6: echo reply (id:74c1 seq:31) (len 64, hlim 64)
15:13:38.376557 f4:6d:04:73:ab:4e 80:ee:73:95:c1:0d 86dd 118:
fe80::f66d:4ff:fe73:ab4e > fe80::82ee:73ff:fe95:c10d: icmp6: echo request
(id:74c1 seq:32) [flowlabel 0x47412] (len 64, hlim 255)
15:13:38.376672 80:ee:73:95:c1:0d f4:6d:04:73:ab:4e 86dd 118: ::1 >
fe80::f66d:4ff:fe73:ab4e: icmp6: echo reply (id:74c1 seq:32) (len 64, hlim 64)
15:13:39.400577 f4:6d:04:73:ab:4e 80:ee:73:95:c1:0d 86dd 118:
fe80::f66d:4ff:fe73:ab4e > fe80::82ee:73ff:fe95:c10d: icmp6: echo request
(id:74c1 seq:33) [flowlabel 0x47412] (len 64, hlim 255)
15:13:39.400693 80:ee:73:95:c1:0d f4:6d:04:73:ab:4e 86dd 118: ::1 >
fe80::f66d:4ff:fe73:ab4e: icmp6: echo reply (id:74c1 seq:33) (len 64, hlim 64)
But this doesn't help. The sender address of the echo reply is still
bad. It is blocked by some antispoof rule on the receiver, afaict.
Is there some secret sysctl I missed to adjust?
Every helpful comment is highly appreciated.
Harri
