# pf and ipv6



## myha (Jan 25, 2010)

Hi, 

need some help with settign the correct rules in pf to alow web traffic...

Here is the rule that I use now:

```
pass in log quick on bce0 inet6 proto tcp from any to $myip6 port 80
```
I have also tried

```
pass in log quick on bce0 proto ipv6
```
which should permit all ipv6 traffic, but still none goes through...?

Heis is what tcpdump shows (tcpdump -n -e -ttt -i pflog):

```
00:00:00.546047 rule 0/0(match): block in on bce0: [|ip6]
```

and pfctl rules:

```
# pfctl -sr | grep  inet6
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on ! bce0 inet6 from 2a02:840:1:200::/64 to any
block drop in quick on bce0 inet6 from fe80::21c:c4ff:fe78:ec46 to any
block drop in quick inet6 from 2a02:840:1:200::2 to any
pass in log quick on bce0 inet6 proto tcp from any to 2a02:840:1:200::2 port = http flags S/SA keep state
```

any ideas?


----------



## DutchDaemon (Jan 25, 2010)

What is your very first block rule (i.e. 0/0)? And have you tried this rule 
	
	



```
pass in log quick on bce0 proto ipv6
```
 without any other block rules, and a skip on other interfaces? Also try adding the 'log' statement _only_ to the block rules (or one at the time) and running tcpdump on pflog0.


----------



## J65nko (Jan 25, 2010)

> Heis is what tcpdump shows (tcpdump -n -e -ttt -i pflog):
> 
> ```
> 00:00:00.546047 rule 0/0(match): block in on bce0: [|ip6]
> ```


This is blocked ip6 traffic, but tcpdump has truncated it. The indicator for truncated packets is "|ip6".

Increase the tcpdump snap to "-s1600" or something like that.
You also have to tell pflogd to increase this snap or capture length.See the pflogd man page.There is also a rc.conf variable to init the flags or options for pflogd.

Try with a simple ruleset like this

```
EXT=bce0

# allow everything on loopback
set skip on lo0

# default policy to block all traffic both IPv4 and IPv6
block log all

# now we only have to allow IPv6 traffic to webserver
pass in log quick on $EXT inet6 proto tcp from any to $myip6 port 
80

# let webserver do outgoing DNS lookups (both IPv4 and 6)
# pass out log quick on $EXT proto "{udp tcp}" from $EXT to any port 53
```
A default policy of *block log all* makes it so much easier to write pf.conf rules. You just add rules to pass the traffic  you want to allow in/out. 
The default block policy will block everything you did not specifically allow.


----------



## myha (Jan 25, 2010)

well, I must have f***ed something up after all different versions of rules  It is ok now, with the same set of rules... Thanks anyay!

```
00:00:00.000000 rule 18/0(match): pass in on bce0: [|ip6]
```
log statement was there for troubleshooting purposes.


----------



## DutchDaemon (Jan 25, 2010)

Add -s 0 to tcpdump to see full packets. I find [cmd=]tcpdump -s 0 -pnli <interface>[/cmd] a more pleasant command myself, but that's personal.

Note: if you reload pf.conf many times and keep adding and deleting rules, pf can get confused and behave erratically. If what you see doesn't match what you expect (obvious human error aside), restart pf ([cmd=]/etc/rc.d/pf restart[/cmd]) and try again.


----------



## myha (Jan 25, 2010)

J65nko said:
			
		

> Increase the tcpdump snap to "-s1600" or something like that.


thanks for this, never thought that because of display size the output is omitted... Looks better now:

```
00:00:02.880838 rule 18/0(match): pass in on bce0: 2a02:840:beef:1d::2.42214 > 2a02:840:1:200::2.80: Flags [S], seq 436018819, win 48240, 
options [mss 1340,TS val 3505202642 ecr 0,wscale 0,sackOK,eol], length 0
```


----------



## DutchDaemon (Jan 25, 2010)

( there was some ranting here about the binary pflog not honouring snaplength when set in pflog_flags in rc.conf, but that appears to have been resolved )


----------

