From owner-freebsd-net@FreeBSD.ORG  Mon Nov 23 17:55:38 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DF02510656CD;
	Mon, 23 Nov 2009 17:55:37 +0000 (UTC) (envelope-from jhb@freebsd.org)
Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 9B13E8FC1F;
	Mon, 23 Nov 2009 17:55:37 +0000 (UTC)
Received: from bigwig.baldwin.cx (66.111.2.69.static.nyinternet.net
	[66.111.2.69])
	by cyrus.watson.org (Postfix) with ESMTPSA id 1CA6E46B29;
	Mon, 23 Nov 2009 12:55:37 -0500 (EST)
Received: from jhbbsd.hudson-trading.com (unknown [209.249.190.9])
	by bigwig.baldwin.cx (Postfix) with ESMTPA id 31D208A01B;
	Mon, 23 Nov 2009 12:55:36 -0500 (EST)
From: John Baldwin <jhb@freebsd.org>
To: Hajimu UMEMOTO <ume@freebsd.org>
Date: Mon, 23 Nov 2009 12:55:25 -0500
User-Agent: KMail/1.9.7
References: <ygeljhyk1qg.wl%ume@mahoroba.org>
	<200911231056.15247.jhb@freebsd.org>
	<ygetywlgnic.wl%ume@mahoroba.org>
In-Reply-To: <ygetywlgnic.wl%ume@mahoroba.org>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200911231255.26279.jhb@freebsd.org>
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1
	(bigwig.baldwin.cx); Mon, 23 Nov 2009 12:55:36 -0500 (EST)
X-Virus-Scanned: clamav-milter 0.95.1 at bigwig.baldwin.cx
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.5 required=4.2 tests=AWL,BAYES_00,RDNS_NONE
	autolearn=no version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bigwig.baldwin.cx
Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org,
	Doug Barton <dougb@freebsd.org>
Subject: Re: [CFR] unified rc.firewall
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2009 17:55:38 -0000

On Monday 23 November 2009 12:27:23 pm Hajimu UMEMOTO wrote:
> Hi,
> 
> >>>>> On Mon, 23 Nov 2009 10:56:14 -0500
> >>>>> John Baldwin <jhb@freebsd.org> said:
> 
> jhb> @@ -178,6 +212,16 @@
> jhb>         # Allow any traffic to or from my own net.
> jhb>         ${fwcmd} add pass all from me to ${net}
> jhb>         ${fwcmd} add pass all from ${net} to me
> jhb> +       if [ -n "$net6" ]; then
> jhb> +               ${fwcmd} add pass ip6 from me6 to ${net6}
> jhb> +               ${fwcmd} add pass ip6 from ${net6} to me6
> jhb> +       fi
> jhb> +
> jhb> +       if [ -n "$net6" ]; then
> jhb> +               # Allow any link-local multicast traffic
> jhb> +               ${fwcmd} add pass ip6 from fe80::/10 to ff02::/16
> jhb> +               ${fwcmd} add pass ip6 from ${net6} to ff02::/16
> jhb> +       fi
> 
> jhb> Any reason to not use 'all' here rather than 'ip6' to match the earlier IPv4
> jhb> rules?
> 
> Thank you for the review.
> The rule is only applicable for IPv6.  Rather, I prefer to use 'ip4'
> explicitly over 'all' or 'ip' here.  However, changing 'all' to 'ip4'
> makes the diff complex.  So, I keep 'all' as is.

Hmm, however, using 'all' will work, and while in this case the typing is the
same I find it easier to read 'add pass tcp <...>' vs
'add pass ip <...> proto tcp'.  I do think they should be consistent
regardless.

> jhb>         # For services permitted below.
> jhb>         ${fwcmd} add pass tcp  from me to any established
> jhb> +       if [ $ipv6_available -eq 0 ]; then
> jhb> +               ${fwcmd} add pass ip6 from any to any proto tcp established
> jhb> +       fi
> 
> jhb> I think this extra rule here isn't needed at all as the first rule should
> jhb> already match all of those packets.
> 
> WORKSTATION type rule is fully dynamic.  However, I saw it doesn't
> work for IPv6 as expected.  SSH connection stalls after some period.
> I suspect keepalive timer doesn't work well for IPv6.
> So, I changed to use traditional setup/established rule for TCP/IPv6.
> Further, 'me' doesn't match to IPv6 address.

I had missed the me vs any.  It is true that the equivalent rule would use
me6.  I would rather figure out the IPv6 bug so that TCP is treated the
same for both protocols instead of having a weaker firewall for IPv6 than
IPV4.

> jhb>         # Allow any connection out, adding state for each.
> jhb>         ${fwcmd} add pass tcp  from me to any setup keep-state
> jhb>         ${fwcmd} add pass udp  from me to any       keep-state
> jhb>         ${fwcmd} add pass icmp from me to any       keep-state
> jhb> +       if [ $ipv6_available -eq 0 ]; then
> jhb> +               ${fwcmd} add pass ip6 from me6 to any proto tcp setup
> jhb> +               ${fwcmd} add pass ip6 from me6 to any proto udp keep-state
> jhb> +               ${fwcmd} add pass ip6 from me6 to any proto ipv6-icmp \
> jhb> +                   keep-state
> jhb> +       fi
> 
> jhb> I think it is more consistent to use 'pass tcp from me6 to any' similar to
> jhb> the IPv4 rules here.  It is also shorter and easier to read that way IMO.
> 
> I thought similar thing with 'all' vs 'ip4'.  Rather, I prefer to
> change IPv4 rules.  However, if 'all' is preferable, I'll change so.

I do find the shorter version easier to read, and it matches the existing
style as well as the examples in the manual page, handbook, etc.

-- 
John Baldwin