From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 17 08:36:14 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EAAF11065679 for ; Thu, 17 Dec 2009 08:36:14 +0000 (UTC) (envelope-from ume@mahoroba.org) Received: from asuka.mahoroba.org (ent.mahoroba.org [IPv6:2001:2f0:104:8010::1]) by mx1.freebsd.org (Postfix) with ESMTP id 509958FC15 for ; Thu, 17 Dec 2009 08:36:14 +0000 (UTC) Received: from ameno.mahoroba.org (IDENT:wliZOpZvyzj8CT7jmKi4DT+lOsbEGpAhgYfQzri1fRyds+LBarzrS6lpyROrxm9I@ameno.mahoroba.org [IPv6:2001:2f0:104:8010:20a:79ff:fe69:ee6b]) (user=ume mech=CRAM-MD5 bits=0) by asuka.mahoroba.org (8.14.3/8.14.3) with ESMTP/inet6 id nBH8a0n7046123 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 Dec 2009 17:36:08 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Thu, 17 Dec 2009 17:36:00 +0900 Message-ID: From: Hajimu UMEMOTO To: David Horn In-Reply-To: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> User-Agent: xcite1.58> Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?ISO-2022-JP-2?B?R29qGyQoRCtXGyhC?=) APEL/10.7 Emacs/23.1 (i386-portbld-freebsd8.0) MULE/6.0 (HANACHIRUSATO) X-Operating-System: FreeBSD 8.0-RELEASE-p1 X-PGP-Key: http://www.imasy.or.jp/~ume/publickey.asc X-PGP-Fingerprint: 1F00 0B9E 2164 70FC 6DC5 BF5F 04E9 F086 BF90 71FE Organization: Internet Mutual Aid Society, YOKOHAMA MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: multipart/mixed; boundary="Multipart_Thu_Dec_17_17:36:00_2009-1" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (asuka.mahoroba.org [IPv6:2001:2f0:104:8010::1]); Thu, 17 Dec 2009 17:36:08 +0900 (JST) X-Virus-Scanned: clamav-milter 0.95.3 at asuka.mahoroba.org X-Virus-Status: Clean X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on asuka.mahoroba.org Cc: freebsd-ipfw@freebsd.org Subject: Re: Unified rc.firewall ipfw me/me6 issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Dec 2009 08:36:15 -0000 --Multipart_Thu_Dec_17_17:36:00_2009-1 Content-Type: text/plain; charset=US-ASCII Hi, >>>>> On Thu, 17 Dec 2009 02:20:47 -0500 >>>>> David Horn said: dhorn2000> Thanks for working on rc.firewall, as the old scenario of dualing dhorn2000> rc.firewall/rc.firewall6 was not easily used in the default configurations dhorn2000> when running dual stack. The new rc.firewall has some very decent sane dhorn2000> defaults. My testing so far as been concentrated on firewall_type="client", dhorn2000> dual stack v4/v6 with SLAAC for IPv6, and DHCP for IPv4. I will try some of dhorn2000> the IPv6 tunnel scenarios later. There is no rule to pass the IPv6 over IPv4 tunnel. You need to add it by yourself for now. I thought it may better having it for our default rule. However, I didn't come up with suitable default. So, I didn't add it. dhorn2000> I ran some tests against the now committed to -current /etc/rc.firewall, and dhorn2000> think have found an issue. In every line that has the "me" token without dhorn2000> the equivalent "me6" token, the command is only taking affect for ipv4. Yes, thank you for the report. It's my mistake. The default rule should have same behavior as possible between an IPv4 and an IPv6. dhorn2000> ${fwcmd} add pass udp from { me or me6 } to any 53 keep-state Your proposed patch is simple enough, thus I like it. However, we need to consider the environment where the kernel doesn't have an IPv6 support. So, we cannot just use '{ me or me6 }', here. How about the attached patch, instead? Sorry, but I have no test environment for now. So, I don't test it by my self, yet. I'll test it later. dhorn2000> The same issue exists for several other entries as well. (possible diff dhorn2000> attached) The other option is to modify ipfw to actually have three dhorn2000> different "me" tokens (me/me4/me6) where the new "me" token would match both dhorn2000> ipv4 and ipv6 local interface addresses. Currently "me" matches only ipv4 dhorn2000> addresses on my amd64 -current box. I think 'me' matches both an IPv4 and an IPv6 is better. dhorn2000> P.S., might also be nice to have an UPDATING entry for unified rc.firewall Yes, it should be. I'll add an UPDATING entry later. Sincerely, --Multipart_Thu_Dec_17_17:36:00_2009-1 Content-Type: text/x-patch; type=patch; charset=US-ASCII Content-Disposition: attachment; filename="rc.firewall-me6.diff" Content-Transfer-Encoding: 7bit Index: etc/rc.firewall diff -u etc/rc.firewall.orig etc/rc.firewall --- etc/rc.firewall.orig 2009-12-03 00:05:26.000000000 +0900 +++ etc/rc.firewall 2009-12-17 17:04:40.000000000 +0900 @@ -230,18 +230,30 @@ # Allow setup of incoming email ${fwcmd} add pass tcp from any to me 25 setup + if [ -n "$net6" ]; then + ${fwcmd} add pass tcp from any to me6 25 setup + fi # Allow setup of outgoing TCP connections only ${fwcmd} add pass tcp from me to any setup + if [ -n "$net6" ]; then + ${fwcmd} add pass tcp from me6 to any setup + fi # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from me to any 53 keep-state + if [ -n "$net6" ]; then + ${fwcmd} add pass udp from me6 to any 53 keep-state + fi # Allow NTP queries out in the world ${fwcmd} add pass udp from me to any 123 keep-state + if [ -n "$net6" ]; then + ${fwcmd} add pass udp from me6 to any 123 keep-state + fi # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -388,14 +400,25 @@ # Allow setup of incoming email ${fwcmd} add pass tcp from any to me 25 setup + if [ -n "$inet6" ]; then + ${fwcmd} add pass tcp from any to me6 25 setup + fi # Allow access to our DNS ${fwcmd} add pass tcp from any to me 53 setup ${fwcmd} add pass udp from any to me 53 ${fwcmd} add pass udp from me 53 to any + if [ -n "$inet6" ]; then + ${fwcmd} add pass tcp from any to me6 53 setup + ${fwcmd} add pass udp from any to me6 53 + ${fwcmd} add pass udp from me6 53 to any + fi # Allow access to our WWW ${fwcmd} add pass tcp from any to me 80 setup + if [ -n "$inet6" ]; then + ${fwcmd} add pass tcp from any to me6 80 setup + fi # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto tcp @@ -409,9 +432,15 @@ # Allow DNS queries out in the world ${fwcmd} add pass udp from me to any 53 keep-state + if [ -n "$inet6" ]; then + ${fwcmd} add pass udp from me6 to any 53 keep-state + fi # Allow NTP queries out in the world ${fwcmd} add pass udp from me to any 123 keep-state + if [ -n "$inet6" ]; then + ${fwcmd} add pass udp from me6 to any 123 keep-state + fi # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel --Multipart_Thu_Dec_17_17:36:00_2009-1 Content-Type: text/plain; charset=US-ASCII -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ --Multipart_Thu_Dec_17_17:36:00_2009-1--