IPv6 TCP resets not returning to client PC
I have pfsense 2.1.4 box running with Hurricane Electric as a tunnel broker on the box. I have set up IPv6 DHCP and everythign works as it should, except when I create an IPv6 firewall rule on the LAN interface. I can set up rules that block specific ports. Enabling and disabling the rules works as expected except if I chose reject instead of block. Reject should create TCP resets back to the source client. Instead they are being blocked and logged by a firewall rule that isn't one seen on the GUI.
The log states:
block Aug 22 15:55:04 Direction=OUT LAN [2607:f8b0:4007:804::1014]:80 [2001:470:1f11:5c::ffb3]:57626 TCP:RA
@6 block drop out log inet6 all label "Default deny rule IPv6"
The rule that triggered this action is:
It is hitting one of the following rules from pfctl -sr
block drop out log inet6 all label "Default deny rule IPv6"
I have created IPv6 permits and they work fine for all traffic except these reset packets getting stopped exiting the LAN interface.
I experienced the same problems. I was able to fix this with the attached patch. I'm not sure but probably we should file a bug report.
The problem is that tcp resets get filtered as the 'pass out' rule for the firewall itself is limited to TCP SYN pakets. However I still receive no ICMPv6 unreachables if i'm trying to reject IPv6 udp traffic.
Here the patch:
diff --git a/filter.inc b/filter.inc index c49403a..a4e3c45 100644 --- a/filter.inc +++ b/filter.inc @@ -2854,8 +2854,8 @@ EOD; $ipfrules .= << <eod<br># let out anything from the firewall host itself and decrypted IPsec traffic -pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself" -pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself" +pass out inet all flags any keep state allow-opts label "let out anything IPv4 from firewall host itself" +pass out inet6 all flags any keep state allow-opts label "let out anything IPv6 from firewall host itself" EOD;</eod<br>