On Thu, Aug 13, 2009 at 05:31:39PM +0200, Henning Brauer wrote:
Right, thanks for this terse answer Henning (:
I investigated further, and found the cause of my problems to lie in the
fact that I was mentionning the address family in the rules.
Here are relevant excerpts of my pf.conf
ext_if="sis0"
...
block all
...
pass in on $ext_if proto tcp from any to ($ext_if) \
port ssh flags S/SA keep state
pass in on $ext_if inet6 proto tcp from any to ($ext_if) \
port ssh flags S/SA keep state
The (almost) duplication is due to my previously using a tunnel provided
by SixXS, thus having an additional interface only for IPv6. My ISP now
provides native IPv6, so I just s/sixxs_if/ext_if/g my configuration
file (yes, that's my way of bluntly copying).
To solve my problem, I replaced the duplicated rules by a single similar
one which does not specify any address family:
pass in on $ext_if proto tcp from any to ($ext_if) \
port ssh flags S/SA keep state
This now works like a charm.
What I don't understand, though, is why it wasn't working with the
original set of rules, as they look very similar to me, and I would have
expected them to achieve the same behavior, if not as efficiently.
What am I missing?
--
Olivier Mehani <shtrom@ssji.net>
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655
[demime 1.01d removed an attachment of type application/pgp-signature]
