From owner-freebsd-net@FreeBSD.ORG Wed Feb 1 15:14:40 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25CD51065670 for ; Wed, 1 Feb 2012 15:14:40 +0000 (UTC) (envelope-from ume@mahoroba.org) Received: from mail.mahoroba.org (ent.mahoroba.org [IPv6:2001:2f0:104:8010::1]) by mx1.freebsd.org (Postfix) with ESMTP id 014678FC15 for ; Wed, 1 Feb 2012 15:14:38 +0000 (UTC) Received: from yuga.mahoroba.org (ume@yuga.mahoroba.org [IPv6:2001:2f0:104:8010:7258:12ff:fe22:d94b]) (user=ume mech=DIGEST-MD5 bits=0) by mail.mahoroba.org (8.14.5/8.14.5) with ESMTP/inet6 id q11FEL6F036727 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Feb 2012 00:14:25 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Thu, 02 Feb 2012 00:14:21 +0900 Message-ID: From: Hajimu UMEMOTO To: "Eric W. Bates" In-Reply-To: <4F2948F3.1060408@ericx.net> References: <4F28C168.9010206@ericx.net> <4F2948F3.1060408@ericx.net> User-Agent: xcite1.60> Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?ISO-2022-JP-2?B?R29qGyQoRCtXGyhC?=) APEL/10.8 Emacs/23.3 (i386-portbld-freebsd9.0) MULE/6.0 (HANACHIRUSATO) X-Operating-System: FreeBSD 9.0-STABLE X-PGP-Key: http://www.imasy.or.jp/~ume/publickey.asc X-PGP-Fingerprint: 1F00 0B9E 2164 70FC 6DC5 BF5F 04E9 F086 BF90 71FE Organization: Internet Mutual Aid Society, YOKOHAMA MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (mail.mahoroba.org [IPv6:2001:2f0:104:8010::1]); Thu, 02 Feb 2012 00:14:25 +0900 (JST) X-Virus-Scanned: clamav-milter 0.97.3 at asuka.mahoroba.org X-Virus-Status: Clean X-Spam-Status: No, score=-4.2 required=5.0 tests=ALL_TRUSTED,BAYES_00, RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on asuka.mahoroba.org Cc: freebsd-net@freebsd.org Subject: Re: allowing gif thru ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 15:14:40 -0000 Hi, >>>>> On Wed, 01 Feb 2012 09:15:15 -0500 >>>>> "Eric W. Bates" said: ericx> On 2/1/2012 3:32 AM, Hajimu UMEMOTO wrote: > Hi, > ericx> Am I even correct in assuming that my gif packets are being blocked? > > Are you trying to pass an IPv6 over IPv4 tunnel? If so, > > $fwcmd add 00140 allow ip4 from $he_tun to me proto ipv6 > $fwcmd add 00141 allow ip4 from me to $he_tun proto ipv6 > > should work for you. ericx> Yes, I'm trying to tunnel in ipv6 from HE. Okay. ericx> Really? I'm allowing ipv6 packets on the gif0 interface; but not on ericx> the lan interface simply because I assumed that like IPSec the ericx> encapsulated packets would not be seen as ipv6 on the ethernet ericx> interface? Still, you need to allow an inner protocol number 41 to use an IPv6 over IPv4 gif tunnel. An inner protocol number of an IPv6 over IPv4 tunnel is 41 which is defined as `ipv6' in /etc/protocols. The ipfw commands I mentioned in my previous mail should do it. Please take notice that `ip4' is an outer protocol and an `ipv6' in a proto option is treated as an inner protocol. Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/