From owner-freebsd-net@FreeBSD.ORG Wed Feb 1 08:32:40 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D67B7106566B for ; Wed, 1 Feb 2012 08:32:40 +0000 (UTC) (envelope-from ume@mahoroba.org) Received: from mail.mahoroba.org (ent.mahoroba.org [IPv6:2001:2f0:104:8010::1]) by mx1.freebsd.org (Postfix) with ESMTP id 7A4B18FC0C for ; Wed, 1 Feb 2012 08:32:40 +0000 (UTC) Received: from ameno.mahoroba.org (IDENT:RIqS4j4zkXJW65g8NEulSKD4ulaD/V8eykinXaGzOoBnRLPu00XHexCTACeXua1v@ameno.mahoroba.org [IPv6:2001:2f0:104:8010:20a:79ff:fe69:ee6b]) (user=ume mech=DIGEST-MD5 bits=0) by mail.mahoroba.org (8.14.5/8.14.5) with ESMTP/inet6 id q118WQro044376 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 1 Feb 2012 17:32:31 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Wed, 01 Feb 2012 17:32:26 +0900 Message-ID: From: Hajimu UMEMOTO To: "Eric W. Bates" In-Reply-To: <4F28C168.9010206@ericx.net> References: <4F28C168.9010206@ericx.net> User-Agent: xcite1.60> Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?ISO-2022-JP-2?B?R29qGyQoRCtXGyhC?=) APEL/10.8 Emacs/23.3 (i386-portbld-freebsd8.2) MULE/6.0 (HANACHIRUSATO) X-Operating-System: FreeBSD 8.2-RELEASE-p5 X-PGP-Key: http://www.imasy.or.jp/~ume/publickey.asc X-PGP-Fingerprint: 1F00 0B9E 2164 70FC 6DC5 BF5F 04E9 F086 BF90 71FE Organization: Internet Mutual Aid Society, YOKOHAMA MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (mail.mahoroba.org [IPv6:2001:2f0:104:8010::1]); Wed, 01 Feb 2012 17:32:32 +0900 (JST) X-Virus-Scanned: clamav-milter 0.97.3 at asuka.mahoroba.org X-Virus-Status: Clean X-Spam-Status: No, score=-4.2 required=5.0 tests=ALL_TRUSTED,BAYES_00, RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on asuka.mahoroba.org Cc: freebsd-net@freebsd.org Subject: Re: allowing gif thru ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 08:32:40 -0000 Hi, >>>>> On Tue, 31 Jan 2012 23:36:56 -0500 >>>>> "Eric W. Bates" said: ericx> Seems like a silly question; but how does one allow the packets ericx> composing a gif tunnel thru ipfw? ericx> I assumed a gif was made up of ipencap (IP proto 4) packets and added rules: ericx> $fwcmd add 00140 allow ipencap from $he_tun to me ericx> $fwcmd add 00141 allow ipencap from me to $he_tun ericx> ($he_tun is an Hurricane Electric provider); but neither of them are ericx> hit; so that's wrong... ericx> tcpdump -i em_vlan5 -nnvvs0 ip proto 4 ericx> doesn't show any packets either... ericx> I also have the rule to allow icmp6 thru the gif: ericx> $fwcmd add 30132 allow icmp6 from me to any out via gif0 keep-state ericx> but that doesn't get hit either. Bottom line: I cannot ping the far ericx> end of my ipv6 tunnel. I receive the error "permission denied" ericx> ** root@olivia ** ~ ** Tue Jan 31 23:31:43 ericx> # ping6 2001:****:****:****::1 ericx> PING6(56=40+8+8 bytes) 2001:****:****:****::2 --> 2001:****:****:****::1 ericx> ping6: sendmsg: Permission denied ericx> ping6: wrote 2001:****:****:****::1 16 chars, ret=-1 ericx> ping6: sendmsg: Permission denied ericx> Am I even correct in assuming that my gif packets are being blocked? Are you trying to pass an IPv6 over IPv4 tunnel? If so, $fwcmd add 00140 allow ip4 from $he_tun to me proto ipv6 $fwcmd add 00141 allow ip4 from me to $he_tun proto ipv6 should work for you. Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/