From owner-freebsd-net@FreeBSD.ORG  Mon Sep  5 15:57:00 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AF1121065673;
	Mon,  5 Sep 2011 15:57:00 +0000 (UTC) (envelope-from wjw@digiware.nl)
Received: from mail.digiware.nl (mail.ip6.digiware.nl
	[IPv6:2001:4cb8:1:106::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 470928FC13;
	Mon,  5 Sep 2011 15:57:00 +0000 (UTC)
Received: from rack1.digiware.nl (localhost.digiware.nl [127.0.0.1])
	by mail.digiware.nl (Postfix) with ESMTP id 3B0F3153434;
	Mon,  5 Sep 2011 17:56:59 +0200 (CEST)
X-Virus-Scanned: amavisd-new at digiware.nl
Received: from mail.digiware.nl ([127.0.0.1])
	by rack1.digiware.nl (rack1.digiware.nl [127.0.0.1]) (amavisd-new,
	port 10024)
	with ESMTP id Fky3CTthGAqn; Mon,  5 Sep 2011 17:56:54 +0200 (CEST)
Received: from [10.20.7.13] (seven.iphion.nl [217.149.136.129])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.digiware.nl (Postfix) with ESMTPSA id ED3B5153433;
	Mon,  5 Sep 2011 17:56:53 +0200 (CEST)
Message-ID: <4E64F155.2090704@digiware.nl>
Date: Mon, 05 Sep 2011 17:57:09 +0200
From: Willem Jan Withagen <wjw@digiware.nl>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
	rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1
MIME-Version: 1.0
To: Ivan Voras <ivoras@freebsd.org>
References: <j42fpl$ps4$1@dough.gmane.org>
	<20110905140121.GA2135@over-yonder.net>
	<CAF-QHFUo9si-OmXQtUFCb=sB-8FDpugziKD5MvgkwmhpCUV4KA@mail.gmail.com>
In-Reply-To: <CAF-QHFUo9si-OmXQtUFCb=sB-8FDpugziKD5MvgkwmhpCUV4KA@mail.gmail.com>
X-Enigmail-Version: 1.3.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@freebsd.org, "Matthew D. Fuller" <fullermd@over-yonder.net>
Subject: Re: ipfw and ipv6: "me"
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Sep 2011 15:57:00 -0000

On 5-9-2011 16:35, Ivan Voras wrote:
> On 5 September 2011 16:01, Matthew D. Fuller <fullermd@over-yonder.net> wrote:
>> On Mon, Sep 05, 2011 at 02:37:08PM +0200 I heard the voice of
>> Ivan Voras, and lo! it spake thus:
>>>
>>> There is no symmetrical "me4" option which leads me to think that
>>> "me" matches only ipv4 and "me6" only ipv6.
>>
>> I can't answer for the code, but as far as I could tell as a user
>> that's the case.
>>
>> (and so my firewall script is piled up with "{ me or me6 }"'s...
>> sigh)
> 
> I thought so too, and AFAIK it used to work like that, but it might be that
> something has changed. I have pretty conclusive evidence that the handling
> has either been extended to (ipv4 or ipv6) or at least is inconsistent.
> 
> I've verified this by having these two rules:
> 
> 02999        17         1360 skipto 3000 log tcp from me to any setup keep-state
> 03000     66661     52129939 allow tcp from me to any setup keep-state
> 
> and the logs have this:
> 
> Sep  5 14:29:19 element kernel: ipfw: 2999 SkipTo 3000 TCP
> [2001:xxxx:xxxx:xxxx:xxxx:56ff:fe99:3327]:43389 [2001:4f8:fff6::22]:80 out
> via em0
> Sep  5 14:29:19 element kernel: ipfw: 2999 SkipTo 3000 TCP
> [2001:4f8:fff6::22]:80 [2001:xxxx:xxxx:xxxx:xxxx:56ff:fe99:3327]:43389 in
> via em0
> Sep  5 14:31:53 element kernel: ipfw: 2999 SkipTo 3000 TCP
> 69.147.83.34:80 xxx.xxx.xxx.xxx:38991 in via em0
> 
> So "tcp from me to any..." appears to match both... which would be
> fine, but then how do we match ipv4 only?

I'm seriously living with the fact that 'me' is ipv4 AND ipv6.
Never got to fixing my firewall, but this seems to indicate that me
matches ipv6 also on 8.2....
08890   18210       1069880 allow tcp from any to me dst-port 22 setup
08990       0             0 allow tcp from any to me6 dst-port 22 setup
09090   18846       1088324 allow tcp from any to me dst-port 25 setup
09190       0             0 allow tcp from any to me6 dst-port 25 setup
09290      34          2160 allow tcp from any to me dst-port 26 setup
09390       0             0 allow tcp from any to me6 dst-port 26 setup
09490       3           180 allow tcp from any to me dst-port 53 setup
09590       0             0 allow tcp from any to me6 dst-port 53 setup
09690     623         37764 allow tcp from any to me dst-port 80 setup
09790       0             0 allow tcp from any to me6 dst-port 80 setup
09890     290         18680 allow tcp from any to me dst-port 993 setup
09990       0             0 allow tcp from any to me6 dst-port 993 setup

And note that I have ipv6 running between work and home.
So atleast some ssh port 22 stuff should otherwise have matched the
second rule.
Same goes for mail, Freebsd.org does deliver over ipv6.
postfix/smtpd[93760]: disconnect from mx2.freebsd.org[2001:4f8:fff6::35]

--WjW