IPv6 TCP resets not returning to client PC



  • I have  pfsense 2.1.4 box running with Hurricane Electric as a tunnel broker on the box.  I have set up IPv6 DHCP and everythign works as it should, except when I create an IPv6 firewall rule on the LAN interface.  I can set up rules that block specific ports.  Enabling and disabling the rules works as expected except if I chose reject instead of block.  Reject should create TCP resets back to the source client.  Instead they are being blocked and logged by a firewall rule that isn't one seen on the GUI.

    The log states:

    block  Aug 22 15:55:04 Direction=OUT LAN  [2607:f8b0:4007:804::1014]:80  [2001:470:1f11:5c::ffb3]:57626 TCP:RA

    @6 block drop out log inet6 all label "Default deny rule IPv6"

    The rule that triggered this action is:

    It is hitting one of the following rules from pfctl -sr

    block drop out log inet6 all label "Default deny rule IPv6"

    I have created IPv6 permits and they work fine for all traffic except these reset packets getting stopped exiting the LAN interface.

    Ideas?



  • Hi!

    I experienced the same problems. I was able to fix this with the attached patch. I'm not sure but probably we should file a bug report.

    The problem is that tcp resets get filtered as the 'pass out' rule for  the firewall itself is limited to TCP SYN pakets. However I still receive no ICMPv6 unreachables if i'm trying to reject IPv6 udp traffic.

    Here the patch:

    diff --git a/filter.inc b/filter.inc
    index c49403a..a4e3c45 100644
    --- a/filter.inc
    +++ b/filter.inc
    @@ -2854,8 +2854,8 @@ EOD;
    
            $ipfrules .= << <eod<br># let out anything from the firewall host itself and decrypted IPsec traffic
    -pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
    -pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
    +pass out inet all flags any keep state allow-opts label "let out anything IPv4 from firewall host itself"
    +pass out inet6 all flags any keep state allow-opts label "let out anything IPv6 from firewall host itself"
    
     EOD;</eod<br> 
    

    Cheers


Log in to reply