From nobody@FreeBSD.org  Wed Jul 26 11:33:25 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BF5DF16A4DD
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Jul 2006 11:33:25 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 90D5F43D46
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Jul 2006 11:33:25 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k6QBXPmF069049
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Jul 2006 11:33:25 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k6QBXPk7069048;
	Wed, 26 Jul 2006 11:33:25 GMT
	(envelope-from nobody)
Message-Id: <200607261133.k6QBXPk7069048@www.freebsd.org>
Date: Wed, 26 Jul 2006 11:33:25 GMT
From: Remko Catersels <sirdice@xs4all.nl>
To: freebsd-gnats-submit@FreeBSD.org
Subject: PF on Freebsd 6.1-STABLE doesn't block IPv6
X-Send-Pr-Version: www-2.3

>Number:         100879
>Category:       kern
>Synopsis:       [pf] PF on Freebsd 6.1-STABLE doesn't block IPv6
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-pf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 26 11:40:14 GMT 2006
>Closed-Date:    Thu Jul 27 09:34:27 GMT 2006
>Last-Modified:  Thu Jul 27 09:34:27 GMT 2006
>Originator:     Remko Catersels
>Release:        6.1-STABLE
>Organization:
>Environment:
FreeBSD maelcum.w2k.home 6.1-STABLE FreeBSD 6.1-STABLE #12: Sun Jul 23 22:42:01 CEST 2006     root@molly.w2k.home:/usr/obj/usr/src/sys/MAELCUM  i386
>Description:
Compiled a kernel with INET6 support. Added device pf and pflog. Configured
IPv6 using a tunnel broker supplied by my ISP. IPv6 fully functional.
Internal machines all have a global IPv6 address. Added a block in on
$ext_if inet6 from any to any. Reloaded pf.conf. I can still ping all the
machines behind the firewall via IPv6.

$ext_if="rl1"
$int_if="rl0"



>How-To-Repeat:

>Fix:

>Release-Note:
>Audit-Trail:

From: "SirDice" <sirdice@xs4all.nl>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Cc:  
Subject: Re: misc/100879: PF on Freebsd 6.1-STABLE doesn't block IPv6
Date: Wed, 26 Jul 2006 13:56:14 +0200 (CEST)

 Forgot to mention IPv4 pf rules work as they should.
 

From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Remko Catersels <sirdice@xs4all.nl>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: misc/100879: PF on Freebsd 6.1-STABLE doesn't block IPv6
Date: Wed, 26 Jul 2006 18:27:30 +0200

 On Wed, Jul 26, 2006 at 11:33:25AM +0000, Remko Catersels wrote:
 
 > Compiled a kernel with INET6 support. Added device pf and pflog.
 > Configured IPv6 using a tunnel broker supplied by my ISP. IPv6 fully
 > functional. Internal machines all have a global IPv6 address. Added a
 > block in on $ext_if inet6 from any to any. Reloaded pf.conf. I can still
 > ping all the machines behind the firewall via IPv6.
 
 That blocks IPv6 packets on $ext_if. Maybe what is passing on $ext_if is
 not actually native IPv6 packets, but encapsulated IPv6-in-IPv4 packets
 ("inet proto ipv6" in pf syntax)? And you need to filter the native IPv6
 packets after decapsulation on the virtual tunnel interface, like gif(4)?
 
 When in doubt, tcpdump ;)
 
 Daniel
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Jul 27 06:58:35 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=100879 
State-Changed-From-To: open->closed 
State-Changed-By: dhartmei 
State-Changed-When: Thu Jul 27 09:33:52 UTC 2006 
State-Changed-Why:  
not a bug, submitter agrees. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=100879 
>Unformatted:
