Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 01 Feb 2012 17:32:26 +0900
From:      Hajimu UMEMOTO <ume@freebsd.org>
To:        "Eric W. Bates" <ericx@ericx.net>
Cc:        freebsd-net@freebsd.org
Subject:   Re: allowing gif thru ipfw
Message-ID:  <yge1uqft0md.wl%ume@mahoroba.org>
In-Reply-To: <4F28C168.9010206@ericx.net>
References:  <4F28C168.9010206@ericx.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

Hi,

>>>>> On Tue, 31 Jan 2012 23:36:56 -0500
>>>>> "Eric W. Bates" <ericx@ericx.net> said:

ericx> Seems like a silly question; but how does one allow the packets
ericx> composing a gif tunnel thru ipfw?

ericx> I assumed a gif was made up of ipencap (IP proto 4) packets and added rules:

ericx> $fwcmd add 00140 allow ipencap from $he_tun to me
ericx> $fwcmd add 00141 allow ipencap from me to $he_tun

ericx> ($he_tun is an Hurricane Electric provider); but neither of them are
ericx> hit; so that's wrong...

ericx> tcpdump -i em_vlan5 -nnvvs0 ip proto 4

ericx> doesn't show any packets either...

ericx> I also have the rule to allow icmp6 thru the gif:

ericx> $fwcmd add 30132 allow icmp6 from me to any out via gif0 keep-state

ericx> but that doesn't get hit either. Bottom line: I cannot ping the far
ericx> end of my ipv6 tunnel. I receive the error "permission denied"

ericx>  ** root@olivia ** ~ ** Tue Jan 31 23:31:43
ericx> # ping6 2001:****:****:****::1
ericx> PING6(56=40+8+8 bytes) 2001:****:****:****::2 --> 2001:****:****:****::1
ericx> ping6: sendmsg: Permission denied
ericx> ping6: wrote 2001:****:****:****::1 16 chars, ret=-1
ericx> ping6: sendmsg: Permission denied

ericx> Am I even correct in assuming that my gif packets are being blocked?

Are you trying to pass an IPv6 over IPv4 tunnel?  If so,

	$fwcmd add 00140 allow ip4 from $he_tun to me proto ipv6
	$fwcmd add 00141 allow ip4 from me to $he_tun proto ipv6

should work for you.

Sincerely,

--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org  ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?yge1uqft0md.wl%ume>