Date: Mon, 23 Nov 2009 10:27:43 -0800 From: Benjamin Lee <ben@b1c1l1.com> To: John Baldwin <jhb@freebsd.org> Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, Hajimu UMEMOTO <ume@freebsd.org>, Doug Barton <dougb@freebsd.org> Subject: Re: [CFR] unified rc.firewall Message-ID: <4B0AD41F.6020709@b1c1l1.com> In-Reply-To: <200911231255.26279.jhb@freebsd.org> References: <ygeljhyk1qg.wl%ume@mahoroba.org> <200911231056.15247.jhb@freebsd.org> <ygetywlgnic.wl%ume@mahoroba.org> <200911231255.26279.jhb@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On 11/23/2009 09:55 AM, John Baldwin wrote:
> On Monday 23 November 2009 12:27:23 pm Hajimu UMEMOTO wrote:
>> Hi,
>>
>>>>>>> On Mon, 23 Nov 2009 10:56:14 -0500
>>>>>>> John Baldwin <jhb@freebsd.org> said:
>> jhb> # For services permitted below.
>> jhb> ${fwcmd} add pass tcp from me to any established
>> jhb> + if [ $ipv6_available -eq 0 ]; then
>> jhb> + ${fwcmd} add pass ip6 from any to any proto tcp established
>> jhb> + fi
>>
>> jhb> I think this extra rule here isn't needed at all as the first rule should
>> jhb> already match all of those packets.
>>
>> WORKSTATION type rule is fully dynamic. However, I saw it doesn't
>> work for IPv6 as expected. SSH connection stalls after some period.
>> I suspect keepalive timer doesn't work well for IPv6.
>> So, I changed to use traditional setup/established rule for TCP/IPv6.
>> Further, 'me' doesn't match to IPv6 address.
>
> I had missed the me vs any. It is true that the equivalent rule would use
> me6. I would rather figure out the IPv6 bug so that TCP is treated the
> same for both protocols instead of having a weaker firewall for IPv6 than
> IPV4.
There is a bug in ipfw send_pkt() that prevents ipfw_tick() from
functioning for IPv6. See PR kern/117234.
--
Benjamin Lee
http://www.b1c1l1.com/
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIcBAEBAgAGBQJLCtQnAAoJEHBW16CPoSMCjswP/ixFY0rcmatbLLK450mhUfc3
VhWZO6pK6qw3I/9rLr14vBoSyOFa839y/3RusTIpr6xHMOF+fL3ZlUWIT7xlk0nr
83S/Zv670FD+SBnzBqHEcTOinrCo/qz4duWqE56jki8329S4usEIJCz1ZOzjk0mi
SRca7IuQp5/Rfb49lBfUjT1pOW/pVcx59kV87hXphj/re/TLCSQa+83N70MKHZHW
6kv+SCqymmysvUzWrbkJfb/NPAPGZL7aSO6M+FTuBrfaTFW9DlRJyEpXTmsb7p3U
ixfXfUL5OjbKT38EhCGJFuJ7vlzhGwzzOzgDlQRshu3zabrVnPOL527s6j94OjN/
0yx8RUyh+x88ShKBBdeSxFoM824LdCTdjWfsMSAvPlumlOnCvhGgVY4wdau+yDFc
ZN0XNE6gD7rCdIHSmRSYDkLg+ZYwMITxpJiVS2mvoB03v7hPgGLV+YZEmTqG6piX
SkVmX7zHW5RFBHmjKEHhXyMSR+lglXdtAMSqlIwXsv6hjrFXEBgH5fP5cMNs5ulD
fs/vZJ1ICm2WXgEezKo3gpXyGaa44BZdxbjTEi7Fbmx/0eofIEKRESUwTEPkfD1f
4fpnhdNFZYdvndT2Q3rkFurxxKQJkhKNiUvZIxA2zAzBfrqzFFHH00JI1Y2ZAe84
H9XD0c9VoTjX/0GoKTGs
=O7NI
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B0AD41F.6020709>