Hello,
I am confused about how Neighbor Discovery is not working when the firewall is
on. If I have “pf” disabled then the doing an ndp -an will result is an
complete discovery;
ndp With firewall disabled (pfctl -d)
Neighbor Linklayer Address Netif Expire S Flags
2001:8004:1420:194b:c4a9:f2c3:3403:36ed 00:e0:67:15:e7:82 em0 permanent R l
fe80::2e0:67ff:fe15:e782%em0 00:e0:67:15:e7:82 em0 permanent R l
fe80::803a:feff:fe38:a754%em0 82:63:9c:36:23:a2 em0 37s R R
fe80::e98a:6028:3c19:5fc%em0 82:63:9c:36:23:a2 em0 32s R R
fe80::2e0:67ff:fe15:e783%em1 00:e0:67:15:e7:83 em1 permanent R l
fe80::1c32:1698:96d9:35fb%em1 38:f9:d3:e0:fa:db em1 20h53m3s S
ndp with firewall enabled (pfctl -e), the discovery is incomplete;
Neighbor Linklayer Address Netif Expire S Flags
2001:8004:1420:194b:c4a9:f2c3:3403:36ed 00:e0:67:15:e7:82 em0 permanent R l
fe80::2e0:67ff:fe15:e782%em0 00:e0:67:15:e7:82 em0 permanent R l
fe80::803a:feff:fe38:a754%em0 82:63:9c:36:23:a2 em0 23h40m37s S R
fe80::e98a:6028:3c19:5fc%em0 (incomplete) em0 expired I R
fe80::2e0:67ff:fe15:e783%em1 00:e0:67:15:e7:83 em1 permanent R l
fe80::1c32:1698:96d9:35fb%em1 38:f9:d3:e0:fa:db em1 20h55m18s S
Interface em0, I am using dhcpcd to get the Ipv6 address.
em0: flags=808843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF4> mtu 1500
lladdr 00:e0:67:15:e7:82
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT
full-duplex,master,rxpause,txpause)
status: active
inet 10.121.101.56 netmask 0xffffff00 broadcast 10.121.101.255
inet6 fe80::2e0:67ff:fe15:e782%em0 prefixlen 64 scopeid 0x1
inet6 2001:8004:1420:194b:c4a9:f2c3:3403:36ed prefixlen 64 autoconf
I cannot see anything blocking “ndp” from pflog so I am confused as what is
going on here. I have attached my firewall configuration;
# Macros
ext_if = "em0"
int_if = "em1"
icmp_types = "{echoreq unreach}"
icmp6_types = "{echoreq unreach toobig routersol routeradv neighbrsol
neighbradv}"
# Tables
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 \
169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 \
192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 \
198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 \
224.0.0.0/4 240.0.0.0/4 255.255.255.255/32 }
# Options
set skip on lo
set block-policy drop
set loginterface egress
set reassemble yes
# Scrub rule
match in all scrub (no-df random-id max-mss 1440)
# NAT Rule
match out on egress inet from !(egress:network) to any nat-to (egress:0)
# Block Unicast reverse path Forwarding
block in quick log from urpf-failed
# Block martians rule
block in quick on egress from <martians> to any
# block return out quick on egress from any to <martians>
# Default block all
block log all
# Allow ipv6 NDP
pass out quick on egress inet6 proto icmp6 from fe80::/10 to any icmp6-type
{neighbrsol} keep state
pass out quick on egress inet6 proto icmp6 from fe80::/10 to any icmp6-type
{neighbradv} keep state
# Allow icmp6
pass in quick on egress inet6 proto icmp6 all icmp6-type $icmp6_types keep
state label "ICMP6-TRAFFIC"
# Allow dhcp6 traffic
pass in quick on egress inet6 proto udp from fe80::/10 port dhcpv6-server to
fe80::/10 port dhcpv6-client
# Pass all other traffic out
pass out quick
# Pass in all traffic on internal network
pass in on { $int_if }
At present I am interested in getting a working Ipv6 on interface em0 only with
the firewall enabled. Any ideas would be appreciated.
Many thanks
Antonino Sidoti
