My home OpenBSD machine acts as my home router for NAT and for my HE ipv6 tunnel. Everything works great except that I can't figure out how to allow inbound ping6. HE has an IPv6 portscan function that can never manage to ping6 me. If I tell it to not ping (-PN) it does indeed succeed to scan just the open ports I intend it to.
I have tried a number of ways to allow icmp6, as the notes in my pf.conf (look for #####) explain below. What few examples I could find online (http://www.benzedrine.cx/pf.conf) seemed to suggest it shouldn't be hard, but I'm not having any success. Is anyone doing this with 4.7? #/etc/pf.conf outside_if = "fxp0" inside_if = "fxp1" tunnel_if = "gif0" local_if = "lo0" nofilt_ifs = "{" $inside_if $local_if "}" ipv6_net = "{ 2001:470:a:x::2, 2001:470:b:x::/64 }" tunnel_peer = "216.218.xxx.xxx" nat_range = "10.0.0.0/24" ok_in_tcp_ports = "{" ftp ssh auth "}" table <no-ssh> persist # no filtering on my inside stuff set skip on $nofilt_ifs #pass # to establish keep-state altq on $outside_if priq queue { std_out, ssh_out, dns_out, tcp_ack_out } queue std_out priq(default) queue ssh_out priority 4 priq(red) queue dns_out priority 5 queue tcp_ack_out priority 6 # NAT for inside IPv4 network match out on ! $inside_if inet from $nat_range to any nat-to ($outside_if:0) # Block networks that bang on my SSH port right away block in quick inet proto tcp from <no-ssh> to any port ssh # Block X.org traffic as the default ruleset does. block in quick on ! lo0 proto tcp to port 6000:6010 # Block everything by default block # HE IPv6 Tunnel pass out on $outside_if inet proto ipv6 from ($outside_if) to $tunnel_peer pass in on $outside_if inet proto ipv6 from $tunnel_peer to ($outside_if) # Some stuff has to come in. pass in on $outside_if proto tcp to ($outside_if) port $ok_in_tcp_ports pass in on $tunnel_if inet6 proto tcp from any to $ipv6_net port $ok_in_tcp_ports pass on $outside_if inet proto icmp icmp-type 8 code 0 ##### I have tried all three of these to no effect #pass on $tunnel_if inet6 proto ipv6-icmp #pass in on $tunnel_if inet6 proto ipv6-icmp from any to $ipv6_net #pass quick proto icmp6 all # Outbound rules and our queues pass out on $outside_if proto tcp from ($outside_if) to any\ queue(std_out, tcp_ack_out) pass out on $tunnel_if inet6 proto tcp from $ipv6_net to any\ queue(std_out, tcp_ack_out) pass out on $outside_if proto { udp icmp } from ($outside_if) to any pass out on $tunnel_if inet6 proto udp from $ipv6_net to any ##### tried this, outbound ping6 works without it #pass out on $tunnel_if inet6 proto ipv6-icmp from $ipv6_net to any pass out on $outside_if proto { tcp udp } from ($outside_if) to any port domain\ queue dns_out pass out on $tunnel_if inet6 proto udp from $ipv6_net to any port domain\ queue dns_out --TimH
