allow lan to go on ipv6 website (OpenBSD/PF)

[milo97400]

Hi,

I use OpenBSD 5.0 with 2 NICs : rl0 and fxp0
rl0 : lan / fxp0 : egress, internet

On the OpenBSD Firewall : i can ping6 ipv6.google.com and 'lynx ipv6.google.com' works.
But on workstations, i can't ping -6 ipv6.google.com and ipv6 website is not reached.

Kernel setup :
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.inet6.ip6.accept_rtadv=0

my pf.conf :

he="66.220.2.74"
heserver="216.xx.xx.xx"
lan="rl0"

set skip on {lo,gif0}
set block-policy drop

match out on egress from $lan:network to any nat-to egress $opt
match in all scrub (no-df max-mss 1440)

block log all

pass in proto ipv6 from $heserver to egress keep state
pass out proto ipv6 from egress to $heserver keep state

pass out on egress inet proto udp
pass out on egress inet proto tcp $opt
pass in on $lan inet6
pass out on egress inet6

pass in on $lan inet proto tcp from $lan:network to port {www,https}
pass in on $lan inet proto udp from $lan:network to port domain

pass out on egress inet proto icmp all icmp-type echoreq
pass in on $lan inet proto icmp all icmp-type echoreq
pass in on egress inet proto icmp from $he to any icmp-type echoreq

Please, can you help me on allowing my hosts to use ipv6 ?
Thank you very much.
 
www.mouedine.net

[k1mu]

Here's what I have in my pf.conf for IPv6:

# External and internal interfaces
ext="xl0"
int="bge0"
# HE tunnel interface
tun="gif0"
# My LAN range
lan="192.168.1.0/24"
# My LAN IPv6 range - my routed /64
lanv6=" 2001:470:x:xx::/64"
# The tunnel endpoint at HE
tunnel="216.66.xx.x"

# I allow SSH to IPv6 hosts
pass in quick log on $tun inet6 proto tcp from any to $lanv6 port ssh modulate state

# Allow the HE tunnel
pass in proto 41 from $tunnel to $ext keep state
pass out proto 41 from $ext to $tunnel keep state

# Allow any IPv6 outbound
pass out on $tun inet6 all keep state

# pass in/out all IPv6 ICMP traffic
pass in quick proto icmp6 all
pass in quick on $ext proto icmp6 all

There's lots of other rules in my firewall definitions, but I think you'll need to add the pass rules for protocol 41 for starters.

[milo97400]

Proto 41 = ipv6 services (see /etc/services)
I already have these lines (see first post):

pass in proto ipv6 from $heserver to egress keep state
pass out proto ipv6 from egress to $heserver keep state

Ithink that my problem come from : i deny traffic udp (port 53) inet6 ... need to test it tomorrow.
If someone have any idea... ;-) And thank you very much for your replies.

Wesley.

[ngyurov]

milo97400, I have the same problem.
Did you find the solution?

[k1mu]

milo97400, I have the same problem.
Did you find the solution?

Here's what I have in my OpenBSD pf setup.  It allows stateful outbound IPv6 and only SSH inbound.

#       $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext="xl0"
int="bge0"
tun="gif0"
localhost="127.0.0.1"
lan="192.168.1.0/24"
lanv6=" 2001:xxxx:x:xx::/64"
tunnel="216.66.x.x"
# set 'bhlogit' to "log" to log blackhole drops (currently rules 9 and 10)
bhlogit=""
logit="log"

udp_traceroute = "33435:33525"
ok_ssh = "{ 192.168.0.0/16, 65.x.x.253 }"
block_tcp = "{ 23, 445, 135:139, 559, 1024, 1433, 3072, 5900, 5901 }"
block_udp = "{ 80, 443, 135:139, 1024:1026, 1434 }"
# these won't be logged when dropped
drop_tcp_ports = "{ 80, 443, 8080, 16642, 25975, 35048, 36103 }"
drop_udp_ports = "{ echo, 16642, 25975, 35048 }"

table <blackhole> persist file "/etc/blackhole.txt"
table <droplist> persist file "/etc/droplist.txt"
table <ssh-violations> persist file "/etc/ssh-violations.txt"

# Services visible from the outside - remove any you're not using
services = "{ domain }"

# Non-routable IP ranges
nonroutable = "{ 127.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23 }"

# Ignore loopback
set skip on lo0

# Fix fragmented packets
match in all scrub (no-df random-id)

# NAT
# nat: packets going out through xl0 with source addr 192.168.1.0/24
# will get translated as coming from our external address. State is
# created for such packets, and incoming packets will be redirected to
# the internal address.

match out on $ext from $int:network to any nat-to ($ext)

# Packet filtering rules

anchor "ftp-proxy/*"
pass in quick on $int inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

block drop in quick $bhlogit on $ext from <blackhole> to any
block drop in quick $bhlogit on $ext from <droplist> to any
block drop in quick $bhlogit on $ext from <ssh-violations> to any
block out quick $bhlogit on $ext from any to <blackhole>
block out quick $bhlogit on $ext from any to <droplist>
pass quick on lo0 all
#
# This allows IPv6 traffic to flow to the SSH server
#
pass in quick log on $tun inet6 proto tcp from any to $lanv6 port ssh modulate state

# Block unroutable
block drop in quick log on $ext from $nonroutable to any
block drop out quick log on $ext from any to $nonroutable

# Block incoming from the internet

block in log on $ext all

block in on $ext inet proto tcp to any port $drop_tcp_ports
block in on $ext inet proto udp to any port $drop_udp_ports

block return in on $ext inet proto tcp to any port www
block in quick $logit on $ext inet proto tcp to any port $block_tcp
block in quick $logit on $ext inet proto udp to any port $block_udp
#
# Allow the HE tunnel
#
pass in proto 41 from $tunnel to $ext keep state
pass out proto 41 from $ext to $tunnel keep state

# pass in/out all IPv6 ICMP traffic
pass in quick proto icmp6 all
pass in quick on $ext proto icmp6 all

# allow ping
pass in inet proto icmp all icmp-type echoreq code 0 keep state

# Allow traceroute
pass in on $ext inet proto udp to ($ext) port { $udp_traceroute }

# Allow traffic to/from the inside
pass in on $int from $int:network to any keep state allow-opts

pass out on $int from any to $int:network keep state

# Allow incoming services - domain

pass in quick on $ext inet proto tcp from any to any port $services allow-opts

pass in quick inet proto tcp from $ok_ssh to ($ext) port ssh modulate state
pass in quick inet proto tcp from any to ($ext) port ssh \
        modulate state(max-src-conn-rate 4/120, \
                        overload <ssh-violations> flush global)

pass in on $ext inet proto tcp from any to ($ext) port smtp keep state
pass out on $int inet proto tcp from any to any port smtp keep state

# UDP: allow DNS since I run a public nameserver (remove if you don't!)
pass in on $ext inet proto udp from any to ($ext) port domain
pass in on $ext inet proto udp from any to any port 37144
pass out on $ext inet proto tcp from any to any port domain

# Make stateful connections to the internet
pass out on $ext inet proto tcp all modulate state flags S/SA
pass out on $ext inet all keep state

#
# Allow traffic out the tunnel interface
#
pass out on $tun inet6 all keep state

#
# Other NAT rules go here
#

# Anti-spoof
antispoof for { lo0, $int, $ext, $tun }