From owner-freebsd-net@FreeBSD.ORG Mon Nov 23 18:27:51 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2F10106568D; Mon, 23 Nov 2009 18:27:51 +0000 (UTC) (envelope-from ben@b1c1l1.com) Received: from lancer.b1c1l1.com (unknown [IPv6:2607:f358:1a:1a:1000::]) by mx1.freebsd.org (Postfix) with ESMTP id 97A288FC19; Mon, 23 Nov 2009 18:27:51 +0000 (UTC) Received: from supra.b1c1l1.com (supra.b1c1l1.com [IPv6:2001:470:83fb:0:216:cbff:fe07:bd1b]) by lancer.b1c1l1.com (Postfix) with ESMTPSA id 015935C21; Mon, 23 Nov 2009 10:27:50 -0800 (PST) Message-ID: <4B0AD41F.6020709@b1c1l1.com> Date: Mon, 23 Nov 2009 10:27:43 -0800 From: Benjamin Lee User-Agent: Thunderbird 2.0.0.23 (X11/20090829) MIME-Version: 1.0 To: John Baldwin References: <200911231056.15247.jhb@freebsd.org> <200911231255.26279.jhb@freebsd.org> In-Reply-To: <200911231255.26279.jhb@freebsd.org> X-Enigmail-Version: 0.95.7 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigB79F6952EB28033E2BC02B4D" Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, Hajimu UMEMOTO , Doug Barton Subject: Re: [CFR] unified rc.firewall X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Nov 2009 18:27:51 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB79F6952EB28033E2BC02B4D Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 11/23/2009 09:55 AM, John Baldwin wrote: > On Monday 23 November 2009 12:27:23 pm Hajimu UMEMOTO wrote: >> Hi, >> >>>>>>> On Mon, 23 Nov 2009 10:56:14 -0500 >>>>>>> John Baldwin said: >> jhb> # For services permitted below. >> jhb> ${fwcmd} add pass tcp from me to any established >> jhb> + if [ $ipv6_available -eq 0 ]; then >> jhb> + ${fwcmd} add pass ip6 from any to any proto tcp e= stablished >> jhb> + fi >> >> jhb> I think this extra rule here isn't needed at all as the first rul= e should >> jhb> already match all of those packets. >> >> WORKSTATION type rule is fully dynamic. However, I saw it doesn't >> work for IPv6 as expected. SSH connection stalls after some period. >> I suspect keepalive timer doesn't work well for IPv6. >> So, I changed to use traditional setup/established rule for TCP/IPv6. >> Further, 'me' doesn't match to IPv6 address. >=20 > I had missed the me vs any. It is true that the equivalent rule would = use > me6. I would rather figure out the IPv6 bug so that TCP is treated the= > same for both protocols instead of having a weaker firewall for IPv6 th= an > IPV4. There is a bug in ipfw send_pkt() that prevents ipfw_tick() from functioning for IPv6. See PR kern/117234. --=20 Benjamin Lee http://www.b1c1l1.com/ --------------enigB79F6952EB28033E2BC02B4D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJLCtQnAAoJEHBW16CPoSMCjswP/ixFY0rcmatbLLK450mhUfc3 VhWZO6pK6qw3I/9rLr14vBoSyOFa839y/3RusTIpr6xHMOF+fL3ZlUWIT7xlk0nr 83S/Zv670FD+SBnzBqHEcTOinrCo/qz4duWqE56jki8329S4usEIJCz1ZOzjk0mi SRca7IuQp5/Rfb49lBfUjT1pOW/pVcx59kV87hXphj/re/TLCSQa+83N70MKHZHW 6kv+SCqymmysvUzWrbkJfb/NPAPGZL7aSO6M+FTuBrfaTFW9DlRJyEpXTmsb7p3U ixfXfUL5OjbKT38EhCGJFuJ7vlzhGwzzOzgDlQRshu3zabrVnPOL527s6j94OjN/ 0yx8RUyh+x88ShKBBdeSxFoM824LdCTdjWfsMSAvPlumlOnCvhGgVY4wdau+yDFc ZN0XNE6gD7rCdIHSmRSYDkLg+ZYwMITxpJiVS2mvoB03v7hPgGLV+YZEmTqG6piX SkVmX7zHW5RFBHmjKEHhXyMSR+lglXdtAMSqlIwXsv6hjrFXEBgH5fP5cMNs5ulD fs/vZJ1ICm2WXgEezKo3gpXyGaa44BZdxbjTEi7Fbmx/0eofIEKRESUwTEPkfD1f 4fpnhdNFZYdvndT2Q3rkFurxxKQJkhKNiUvZIxA2zAzBfrqzFFHH00JI1Y2ZAe84 H9XD0c9VoTjX/0GoKTGs =O7NI -----END PGP SIGNATURE----- --------------enigB79F6952EB28033E2BC02B4D--