On Mon, Apr 06, 2009 at 11:58:01AM +0200, Tasmanian Devil wrote: > > whereas, a state should be created by this rule: > > pass out quick inet from any to 209.51.181.2 > > Not sure how this fits together with your second post where you say > that you can ping6 from the outside, but depends also on your other > rules. What you need to allow is proto 41 (ipv6) between the two > tunnel endpoints of your GIF tunnel (between 12.158.188.186 and > 209.51.181.2 in your case), and in both directions. proto 41 is allowed out by "first" quick rule in the ruleset.
@0 pass out quick on vr0 inet proto ipv6 from any to 209.51.181.2 keep state [ Evaluations: 83 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 5522 State Creations: 6 ] That's the rule that should create appropriate state, but it doesn't as seen by Apr 6 01:21:39 D2710 /bsd: pf: stack key attach failed on all: 41 out wire: 209.51.181.2 12.158.188.186 stack: 209.51.181.2 12.158.188.186 1:0 > > For me, with "block in all/pass out all" default rules, a rule like > this works fine: > > pass in on $ext_if proto ipv6 from $server_ip to $my_ip > > > traffic on gif0 is skipped, but it shouldn't matter > > Are you sure that you really want this? That way you allow all traffic > via IPv6 in, which means no filtering at all for IPv6. So the world > can probably access more than you think... this is done for debugging purposes only.
