Probleme mit IPv6 und PF bei einem Hetzner Rechner

From: Matthias Fechner <idefix(at)fechner.net>
Date: Wed, 29 Apr 2015 21:22:06 +0200

Hi,

ich habe komische Probleme auf einem Hetzner Rechner.
IPv4 geht mit Firewall problemlos.
IPv6 kann ich pingen, aber nicht anderes.
Wenn ich mit pfctl -d die Firewall deaktiviere klappt alles, wenn ich
sie mit pfctl -e wieder aktiviere geht nur noch ping6 aber alles andere
ist nicht erreichbar.

Vllt. kann mal jemand einen Blick auf die Config werfen, ich habe
aktuell keine Idee mehr woran es liegen könnte.
/etc/pf.conf:
######
EXT_IF = "xn0"

set block-policy return

# define table
table <fail2ban> persist
table <spamd> persist
table <spamd-white> persist

TcpState="flags S/SA modulate state"
UdpState="keep state"

tcp_pass="{ssh http https smtp smtps submission pop3 pop3s imap imaps
sieve ftp 30000:50000 5666 14534 8080 git}"
udp_pass="{8767}"

# don't filter on the loopback interface
set skip on lo0

#scrub provides a measure of protection against certain kinds of
#attacks based on incorrect handling of packet fragments
scrub in all

# redirect unkown mail sender to spamd
no rdr proto tcp from <spamd-white> to any port smtp
rdr pass proto tcp from <spamd> to any port smtp -> 127.0.0.1 port spamd
rdr pass proto tcp from any to any port smtp -> 127.0.0.1 port spamd

# we block all by default
block log all

#IPv6 - pass in/out all IPv6 ICMP traffic
pass in quick proto icmp6 all

# allow outgoing traffic
pass out quick all $TcpState

# block ssh known brute force to all ports
block in log quick proto tcp from <fail2ban> to any label "ssh bruteforce"

# allow icmp
pass in quick on $EXT_IF proto icmp from any to any keep state

# allow tcp services defined
pass in quick on $EXT_IF proto tcp from any to any port $tcp_pass $TcpState

# allow udp services
pass in quick on $EXT_IF proto udp from any to any port $udp_pass $UdpState

# allow complete ipv6
pass log quick on $EXT_IF inet6 from any to any keep state

#######
Danke und Gruß
Matthias

-- 
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org
with "unsubscribe de-bsd-questions" in the body of the message
Received on Wed 29 Apr 2015 - 21:22:20 CEST

search this site