From owner-freebsd-stable@FreeBSD.ORG  Mon Aug 14 19:22:08 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: stable@freebsd.org
Delivered-To: freebsd-stable@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DFCD416A4E1
	for <stable@freebsd.org>; Mon, 14 Aug 2006 19:22:08 +0000 (UTC)
	(envelope-from oberman@es.net)
Received: from postal2.es.net (postal2.es.net [198.128.3.206])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 76AAC43D72
	for <stable@freebsd.org>; Mon, 14 Aug 2006 19:22:08 +0000 (GMT)
	(envelope-from oberman@es.net)
Received: from ptavv.es.net (ptavv.es.net [198.128.4.29])
	by postal2.es.net (Postal Node 2) with ESMTP (SSL) id SBK81307
	for <stable@freebsd.org>; Mon, 14 Aug 2006 12:22:07 -0700
Received: from ptavv.es.net (localhost [127.0.0.1])
	by ptavv.es.net (Tachyon Server) with ESMTP id 8118445093
	for <stable@freebsd.org>; Mon, 14 Aug 2006 12:22:07 -0700 (PDT)
To: stable@freebsd.org
Date: Mon, 14 Aug 2006 12:22:07 -0700
From: "Kevin Oberman" <oberman@es.net>
Message-Id: <20060814192207.8118445093@ptavv.es.net>
Cc: 
Subject: Lost IPv6 with ipfw in latest stable
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2006 19:22:09 -0000

For the first time since about may I have updated my 6-Stable system and
my firewall seems badly broken with IPv6.

1. Any rule with me6 is rejected as an unknown host
2. A rule of "allow ip from me to any" still is blocking IPv6
3. I am seeing ICMPv6 type 135 blocked even though I have a rule to
   explicitly allow it:
   allow ipv6-icmp from any to me ip6 icmp6types 134,135,136

When I booted up, the console said that "ipfw2 (+ipv6) initialized", but
it really looks like the IPv6 stuff is not working right. I did try to
explicitly add a rule permitting my IPv6 source to send to my DNS server
and that does appear to work.  

My firewall on my -current system seems to be OK except that 'me6' is
not accepted there, either. (I suspect the documentation needs updating.)

Am I doing something dumb or is something broken in ipfw?
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751