Problem with filtering ipv6 SSH behind pf

Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Problem with filtering ipv6 SSH behind pf

vxla
I have a FreeBSD machine (12.0-CURRENT) acting as a router for both
ipv4 and ipv6 traffic. The external interface (ue0) accepts router
advertisements and advertisements are sent out the internal interface
(ue1) using rtadvd. All hosts are receiving addresses properly.

The problem is attempting to SSH to the device with the following rule
in place:

ext_if="ue0"
int_if="ue1"
host_a="2601:Y::2"

pass in on $ext_if from any to $host_a port = ssh keep state
block log all

Ingress traffic is observed on ue0 with tcpdump, but is never sent out ue1
to $host_a. No log is generated to pflogd.

A modification of that rule permits traffic to $host_a:

pass in on $ext_if from any to any port = ssh keep state

Why doesn't the first example work? Here's a sample of the ingress
traffic. Only two packets captured here, but both are from the tcpdump
process running on ue0.

# tcpdump -ni ue0 host host_a and ip6 &
[1] 1373
# tcpdump -ni ue1 host host_a and ip6 &
[2] 1376

03:06:08.142889 IP6 2608:Y:Y::3:0.25237 > 2601:X::2.22: Flags [S], seq 3386259404, win 16384, options [mss 1440,nop,nop,sackOK,nop,wscale 6,nop,nop,TS val 665243237 ecr 0], length 0
03:06:14.139750 IP6 2608:Y:Y::3:0.25237 > 2601:X::2.22: Flags [S], seq 3386259404, win 16384, options [mss 1440,nop,nop,sackOK,nop,wscale 6,nop,nop,TS val 665243249 ecr 0], length 0


Any help is appreciated. Thanks in advance.