sommerfeld: i have reserved an ip on my router, so from the NAS's POV it is dynamic IP, but it is always the same. I should make it truly fixed IP to eliminate the need of the unnecessary service (dhcpagent).

But since this is my first OmniOS install my setup can have defect or config mistakes.

szilard: configuring addresses as quasi-static over DHCP is a good way to operate, but if traffic from dhcpagent is blocked by ipfilter policy or other means, dhcpagent will be unable to renew its address lease and will deconfigure the ip address when the lease expires.

Hi to all, speaking about firewall, I've a problem with ipfilter which is making me crazy... it's the first time I configure ipf and IPv6 in OmniOS, so I guess the cause is something I'm missing in the firewall ruleset. If anyone experienced on this firewall could point be to the right direction, I would be very grateful! :)

You can read my configuration here: paste.omnios.org/?34edd493e7eef232#…jyubhndR5rovuiDCfRPd2Zvu1USHTgaoCYH

All seems to work at first but, after a few hours since ipfilter comes up, all IPv6 incoming traffic (I tried ICMPv6 ping and SSH) looks like to be dropped by the OmniOS host. I say "dropped", but if I log blocked traffic, nothing shows up in the log file.

Restarting ipfilter or pinging something in the IPv6 LAN from the OmniOS host immediately solves the problem.

How the hell I'm missing here? I supposed my rules were blocking NDP traffic, but I allowed all ICMPv6 as you can read... maybe I have no clear idea about IPv6 works! :'(

it's been a while since I played with IPF but I think you probably want a single "block in" and "pass out keep state" type rule, and the most others will be "pass in quick <criteria>"

from memory the "quick" keyword means it stops processing at that point if a packet matches

the "pass out keep state" and "block in on <intf> all" act as the default policy

you'll also need the "log" keyword if you want to log anything hitting a rule.

when starting a new firewall I might also start off with making it default allow + log so you can see if you're missing rules.

there should also be flags for ipfstat which will show you the rules and counters for how much is hitting a rule