OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
openbsd 3.2, pf, and ipv6 tunnels

From: Richard Welty (rweltyaverillpark.net)
Date: Sat Aug 02 2003 - 23:55:25 CDT

i have a 3.2 system functioning as my home firewall right now. i'm
attempting to set up an ipv6 tunnel using the hurrican electric
tunnelbroker system, and having hacked my way past various HE issues, i'm
now looking at a pf issue i don't quite understand.

specifically, when from the firewall box, i use ping6 to hit the other end
of the tunnel, the echo replies are blocked.

at first, i had a simple pf rule on the gif0 interface to pass back icmp,
like so:

pass in log quick on $tunnel_if inet6 proto ipv6-icmp all
                         ipv6-icmp-type { 128, 129, 135, 136 }

this rule was being skipped, and the icmp traffic was being rejected with
this catch all from further down in pf.conf:

block in log quick on $ext_if all

i looked at the output from running tcpdump on pflog0, and noticed that the
icmp traffic was being characterized this way:

Aug 03 04:36:38.340291 rule 30/0(match): pass out on gif0:
     2001:470:1f00:ffff::2b9 > 2001:470:1f00:ffff::2b8: icmp6: echo request
Aug 03 04:36:38.438429 rule 18/0(match): block in on ep1:
     2001:470:1f00:ffff::2b8 > 2001:470:1f00:ffff::2b9: icmp6: echo reply (encap)

that is, out on gif0 ($tunnel_if in pf.conf) and coming back on ep1
($ext_if)

so i added a pass in log quick on $ext_if in addition to the pass in on
$tunnel_if

no effect, the traffic is still being blocked on rule 18, which is the
block in log quick on $ext_if all

the relevant block of rules (from pfctl -s rules) is as follows:

8 pass in log quick on gif0 inet6 proto ipv6-icmp all ipv6-icmp-type neighbradv
9 pass in log quick on gif0 inet6 proto ipv6-icmp all ipv6-icmp-type neighbrsol
10 pass in log quick on gif0 inet6 proto ipv6-icmp all ipv6-icmp-type echorep
11 pass in log quick on gif0 inet6 proto ipv6-icmp all ipv6-icmp-type echoreq
12 pass in log quick on ep1 inet6 proto ipv6-icmp all ipv6-icmp-type neighbradv
13 pass in log quick on ep1 inet6 proto ipv6-icmp all ipv6-icmp-type neighbrsol
14 pass in log quick on ep1 inet6 proto ipv6-icmp all ipv6-icmp-type echorep
15 pass in log quick on ep1 inet6 proto ipv6-icmp all ipv6-icmp-type echoreq
16 block return-rst in log quick on ep1 proto tcp all
17 block return-icmp in log quick on ep1 proto udp all
18 block in log quick on ep1 all

so just how do i get this traffic to pass through?

thanks,
  richard
--
Richard Welty rweltyaverillpark.net
Averill Park Networking 518-573-7592
    Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security