[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ipv6 udp and keep state



Hello,

I have a dualstacked firewall on OpenBSD 3.2 BASE with IPv4 and IPv6
connection over Ethernet (no gif).

I am trying to have the exact same policy/rules for IPv4 as for IPv6, so
I started with the IPv4 ruleset, tested it and adopted it to IPv6
(basically duplicating every rule and adapting syntax where necessary).
Everything works fine, except that to me it seems that IPv6 udp doesn't
keep state while IPv4 udp does.
DNS lookups from internal and firewall itself work over IPv4, but on
IPv6 the reply packets from the DNS Server get blocked by the "block
all", also I never see a state created when I try to query DNS over IPv6
from either internal or the firewall but I see one when doing it over
IPv4.
I read the man page as that keep state does have an effect on udp too
while only comparing address and port, but no mention that it doesn't
work on IPv6.
Can anybody see what I screwed up here or give me hint where to look
further, I am completely stuck with this since days.

Here is my rule file

# define some macros
extif = "xl0"
intif = "xl1"
extip4 = "157.161.128.40"
extip6 = "3ffe:2029:f001:128::20"
intip4 = "192.168.192.1"
intip6 = "3ffe:2029:f001:192::1"
intnet4 = "192.168.192.0/24"
intnet6 = "3ffe:2029:f001:192::/64"
ispdns = "{ 157.161.184.6, 157.161.128.3 }"
ispdns6 = "{ 3ffe:2029:f001:184a::6, 3ffe:2029:f001:128::3 }"

# Normalize: reassemble fragments and resolve or reduce traffic
ambiguities

scrub in all

nat on $extif inet from $intnet4 to any -> $extip4

# antispoof
antispoof for lo0
antispoof for xl0 inet
antispoof for xl1 inet

block in log all
block return-rst in log on $extif inet6 proto tcp from any to any port =
113
block return-rst in log on $extif inet proto tcp from any to any port =
113

pass out on $extif inet6 proto udp from { $extip6, ::1, $intnet6 } to
$ispdns6 port = 53 keep state
pass out on $extif inet proto udp from { $extip4, 127.0.0.1, $intnet4 }
to $ispdns port = 53 keep state
pass in on $intif inet6 proto udp from $intnet6 to $ispdns6 port = 53
pass in on $intif inet proto udp from $intnet4 to $ispdns port = 53

**more pass in and out stuff, but no blocks, so i guess it's irrelevant
for my question **


Thanks in advance.
Christoph Schneeberger