Fwb 126.96.36.19999 seems to have a problem generating rules for specific icmp6 types for PF (OpenBSD).
I have a ruleset specifying "any to any ipv6 all dest unreachable" and "any to any all ICMP unreachables".
The ICMP objects are from the Standard library.
The ipv4 rule generated from this is:
pass quick inet proto icmp from any to any icmp-type 3
The ipv6 rule generated from this is:
pass log quick inet6 proto icmp6 from any to any
The same happens when using the Group "Ipv6 unreachable messages" from the Standard library (as in the attached screenshot).
The GUI does show type 1 code any for the icmp6 object "ipv6 all dest unreachable". But apparently the compiler does not honour this.
It SHOULD be:
pass log quick inet6 proto icmp6 from any to any icmp6-type 1
I think this is a rather nasty bug because installing this pf policy will leave you far wider open than you had intended, and no errors or warnings help to point this out
Log in to post a comment.