From owner-freebsd-questions@FreeBSD.ORG Sat Nov 10 19:49:18 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2523716A41B for ; Sat, 10 Nov 2007 19:49:18 +0000 (UTC) (envelope-from fbsdlists@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.235]) by mx1.freebsd.org (Postfix) with ESMTP id CAC9713C4AC for ; Sat, 10 Nov 2007 19:49:17 +0000 (UTC) (envelope-from fbsdlists@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so591418nzf for ; Sat, 10 Nov 2007 11:49:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=YrlU9UKH9jWhs1pwRqPiWvw/A9pEG51hKBbLgsPvKqc=; b=YH4TweWTuX3C3Zrle6oPjmW/IDHI+nYxjcBds+EOMBIs1SAbJKMMlOuIfoP9ANSx+UA7a/hMWNdThvfBOw5Obj3v+SmQIS2HKlNKDWpXRT+dKq+Stf99OyI7fC8WY5AxQlgiMyytdpgBz3Qb4N0jkHrzWbZSpyppBvtZC+TmK5U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=RA3M7HwvtsZviIRhTk3S9vEfAA+aKEldPwNbkxs/aHf3cVQYgSiqJJGlHX3DqPyp5Y2AkyX6T5SNlIH1hmCTLV06T1FICUc7f93bMA4dJ4QFlX91ZaYjavbdxhWRC4sVgTbQC7dU+FN7zXo2UH8jAD+aTpGseUH1x+9vYIq3sWE= Received: by 10.142.148.7 with SMTP id v7mr818991wfd.1194724147911; Sat, 10 Nov 2007 11:49:07 -0800 (PST) Received: by 10.142.216.9 with HTTP; Sat, 10 Nov 2007 11:49:07 -0800 (PST) Message-ID: <54db43990711101149k62ce4ac2m1cf797f1671ba6fa@mail.gmail.com> Date: Sat, 10 Nov 2007 14:49:07 -0500 From: "Bob Johnson" To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: 7.0-B2 & IPFW/IP6FW interaction X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Nov 2007 19:49:18 -0000 I've been trying to learn about IPv6, using the 7.0 series as my platform so it gets some exercise before release, and I've run into a few odd interactions between IPFW handling of IPv4 and IPv6. The only one I can reliably reproduce is pretty straightforward: if I set up /etc/rc.conf to enable IPFW for both IPv4 and IPv6, both with the CLIENT rule set, and edit /etc/rc.firewall and /etc/rc.firewall6 accordingly, only one ruleset gets loaded. On my test system, the IPv6 ruleset is loaded first, and then when the IPv4 ruleset is loaded, the flush command in rc.firewall removes all of the IPv6 rules, so I end up with default deny for IPv6, plus all of my normal IPv4 rules. It's possible that this interaction explains the other oddities I thought I've seen but haven't reliably reproduced. I fixed it by removing the flush commands from both rc.firewall and rc.firewall6, but I expect this broke the proper operation of "/etc/rc.d/ipfw restart" (although I haven't actually tested that. I just manually flush the rules if I need to restart the firewall). Am I running into this problem because 7.0 expects me to do something differently, or is this actually a bug? It appears the problem is in the old config scripts (rc.firewall and rc.firewall6) that worked properly when IPFW and IP6FW were independent, but now interact with each other. It would probably make sense to integrate the two scripts into a single rc.firewall script, but I haven't had time to take a shot at that yet. If the load order is always the same, then of course I can just remove the flush command from the second rule set and it will solve the problem. Again, I haven't looked into that yet. I've also noticed there are new rc.conf variables (e.g. firewall_myservices, firewall_allowservices) that appear to be intended to configure default rules for me, but I have not investigated them. Perhaps I should? In /etc/rc.conf the firewall statements I have are: firewall_enable="YES" firewall_logging="YES" firewall_type="CLIENT" ipv6_firewall_enable="YES" ipv6_firewall_logging="YES" ipv6_firewall_type="CLIENT" and this is 7.0-BETA2 - Bob