On Wed, 2 Dec 2009 00:21:40 +0000, FRLinux wrote:
>Hello,
>
>I have a small problem with IPv6. I am trying to allow ssh via v6 from
>a remote host and whilst the same ruleset works for IPv4, it fails for
>IPv6. Could anyone point me in the right direction? If i disable PF,
>everything works of course.
>
>Here is my pf.conf (this is my home soekris router, doing nating too):
>
>ext_if="sis1"
>int_if="sis0"
>
>ssh_server_v4="1xx:xxx:xxx:xxx"
>ssh_server_v6="2001:xxxxxxxxxx"
>
>set skip on lo
>
>nat-anchor "ftp-proxy/*"
>rdr-anchor "ftp-proxy/*"
>nat on $ext_if from !($ext_if) -> ($ext_if:0)
>rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
>anchor "ftp-proxy/*"
>pass out
>
>pass quick on $int_if no state
>
>antispoof quick for { lo $int_if }
>
>#ipv4
>pass in inet proto icmp all
>pass in quick on $ext_if proto tcp from $ssh_server_v4 to port ssh
>
>#ipv6
>pass in inet6 proto ipv6-icmp all
>pass in quick on $ext_if proto tcp from $ssh_server_v6 to port ssh
>
>block in
I saw your email saying you had fixed your problem BUT that last line
above negates both of your icmp rules. A 'block in' statement would
normally be the first filter rule and then only explicit allowed
traffic gets in and you could take out the "quick"s.
>
>
>Thanks,
>Steph
>
*** NOTE *** Please DO NOT CC me. I <am> subscribed to the list.
Mail to the sender address that does not originate at the list server is
tarpitted. The reply-to: address is provided for those who feel compelled to
reply off list. Thankyou.
Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.
