From owner-freebsd-security@FreeBSD.ORG Mon Apr 20 16:35:58 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5397B106566C for ; Mon, 20 Apr 2009 16:35:58 +0000 (UTC) (envelope-from stas@deglitch.com) Received: from mx0.deglitch.com (backbone.deglitch.com [IPv6:2001:16d8:fffb:4::abba]) by mx1.freebsd.org (Postfix) with ESMTP id 0A6AF8FC17 for ; Mon, 20 Apr 2009 16:35:57 +0000 (UTC) (envelope-from stas@deglitch.com) Received: from DSPAM-Daemon (localhost [127.0.0.1]) by mx0.deglitch.com (Postfix) with SMTP id CDFD38FC2B for ; Mon, 20 Apr 2009 20:35:55 +0400 (MSD) Received: from stas.flexlabs (unknown [83.166.229.34]) by mx0.deglitch.com (Postfix) with ESMTPSA id 092208FC18; Mon, 20 Apr 2009 20:35:55 +0400 (MSD) Date: Mon, 20 Apr 2009 20:35:54 +0400 From: Stanislav Sedov To: freebsd-security@freebsd.org Message-Id: <20090420203554.96141565.stas@deglitch.com> In-Reply-To: <147404.54014.qm@web52106.mail.re2.yahoo.com> References: <200902100012.n1A0CHLr027615@drugs.dv.isc.org> <147404.54014.qm@web52106.mail.re2.yahoo.com> Organization: Deglitch Networks X-Mailer: Sylpheed 2.5.0 (GTK+ 2.12.11; i386-portbld-freebsd7.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-DSPAM-Result: Innocent X-DSPAM-Processed: Mon Apr 20 20:35:55 2009 X-DSPAM-Confidence: 1.0000 X-DSPAM-Improbability: 1 in 98689409 chance of being spam X-DSPAM-Probability: 0.0023 X-DSPAM-Signature: 49eca46b967004490364599 X-Mailman-Approved-At: Mon, 20 Apr 2009 18:30:41 +0000 Cc: ipfreak@yahoo.com Subject: Re: ipv6 and ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Apr 2009 16:35:58 -0000 On Mon, 9 Feb 2009 17:29:11 -0800 (PST) gahn wrote: > > Thanks Mark: > > my machine would load the modules when the system boots up. here is my rc.conf: > > firewall_enable="YES" > firewall_script="/etc/ipfw.conf" > firewall_logging="YES" > > does that matter? Your system's ipfw definitely supports ipv6. You can use the same firewall script to set up ipv6 rules as well. Note, however, that there's a different set of sysctl exists to control ip6fw, namely net.inet6.ip6.fw. Thus to enable it at the boot time you certainly need to add ipv6_firewall_enable="YES" into your rc.conf. There're also a bunch of other IPv6 related configurational options exist: ipv6_firewall_enable="NO" # Set to YES to enable IPv6 firewall # functionality ipv6_firewall_script="/etc/rc.firewall6" # Which script to run to set up the IPv6 firewall ipv6_firewall_type="UNKNOWN" # IPv6 Firewall type (see /etc/rc.firewall6) ipv6_firewall_quiet="NO" # Set to YES to suppress rule display ipv6_firewall_logging="NO" # Set to YES to enable events logging -- Stanislav Sedov ST4096-RIPE !DSPAM:49eca46b967004490364599!