Re: Understanding pf with FTP on IPv6

[Philip Dodd <philip.dodd%free.fr@localhost>]

On Sun, 21 Nov 2010 12:45:17 +0100, Rhialto <rhialto%falu.nl@localhost> wrote:
> On Sat 20 Nov 2010 at 10:11:37 +0100, Philip Dodd wrote:
> > On Mon, 25 Oct 2010 21:43:05 +0200, Philip Dodd
> > <philip.dodd%free.fr@localhost> wrote:
>
> > >I am running a dual-stack host that I'm currently seeing a strange
> > >issue (or at least an issue I don't understand :) ) with outgoing
> > >(client) FTP connections over IPv6.
>                                  ^^^^
> > >Basically my pf.conf contains a "block in all" at the start and a
>                 ^^^^^^^
> > >bunch of rules that allow some stuff to connect on regular ports
> > >inbound.
>
> I recall reading on one of the netbsd lists that pf simply doesn't 
> work
> properly with IPv6. (Of course I didn't keep a reference, but google
> ``pf ipv6 site:netbsd.org'' gave me this:
>
> http://mail-index.netbsd.org/current-users/2010/05/27/msg013566.html).
>
> I was planning to change from "old-fashioned" ipf to "modern" pf, but
> when I read that, I just decided to forget about pf.

Hi,

Thanks to all who took the time to give me some pointers.  It turns 
out, as I suspected, to be much, much dumber than something inherently 
wrong with IPv6.  The packets getting dropped were not, in fact SA 
packets from the FTP, but neighbour sollicitation packets.  At some 
point, although neighbour advertise was allowed in, I'd commented out 
the pass in neighboursol (I think I did it when I remove pass in 
routersol, which is genuinely not needed), so, in fact, I think the FTP 
was a red-herring.

The upside is I've now got some more useful logging configured on 
pflog, the downside is I get to look dumb in public. Some you win, some 
you lose :/

Thanks again to all for your time.

Best regards,

Phil