From owner-freebsd-net@FreeBSD.ORG Wed Feb 1 15:23:45 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 30E3E106566B; Wed, 1 Feb 2012 15:23:45 +0000 (UTC) (envelope-from ericx@ericx.net) Received: from mail-qw0-f47.google.com (mail-qw0-f47.google.com [209.85.216.47]) by mx1.freebsd.org (Postfix) with ESMTP id C9F408FC0A; Wed, 1 Feb 2012 15:23:44 +0000 (UTC) Received: by qadz30 with SMTP id z30so4065486qad.13 for ; Wed, 01 Feb 2012 07:23:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericx.net; s=selector0; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=1doiTSI9rzarwZEmnaDMkwI3LMqKmMAXLlINvTnL4cA=; b=Xbma32nUBmlJ6/LJV0tUDL8b9CucTOfXmaDzWRVOZa4DgsxqYwv4T9yxns5unKKTTS MLTzlnpCAUD4Bx8gN8YpEAuGqoX7yiIpjvbot8EjqPPEcWlmFqnIZvCw1LOxsxd/adcj +D3nHcb/OaOZNd7CXxrLSqSUL4r7xC41v22F8= Received: by 10.224.111.147 with SMTP id s19mr33775807qap.45.1328109824212; Wed, 01 Feb 2012 07:23:44 -0800 (PST) Received: from [10.0.0.54] (fw.educompmv.com. [75.150.112.177]) by mx.google.com with ESMTPS id m20sm48160451qaj.14.2012.02.01.07.23.43 (version=SSLv3 cipher=OTHER); Wed, 01 Feb 2012 07:23:43 -0800 (PST) Message-ID: <4F29588F.2090603@ericx.net> Date: Wed, 01 Feb 2012 10:21:51 -0500 From: "Eric W. Bates" User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0) Gecko/20120129 Thunderbird/10.0 MIME-Version: 1.0 To: Hajimu UMEMOTO References: <4F28C168.9010206@ericx.net> <4F2948F3.1060408@ericx.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: allowing gif thru ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 15:23:45 -0000 [sigh] I stand enlightened with increased understanding. Thank you very much. That is exactly what I've been seeing on my pfSense machine and could not replicate on my stand-alone FBSD box. On 2/1/2012 10:14 AM, Hajimu UMEMOTO wrote: > Hi, > >>>>>> On Wed, 01 Feb 2012 09:15:15 -0500 >>>>>> "Eric W. Bates" said: > > ericx> On 2/1/2012 3:32 AM, Hajimu UMEMOTO wrote: >> Hi, > >> ericx> Am I even correct in assuming that my gif packets are being blocked? >> >> Are you trying to pass an IPv6 over IPv4 tunnel? If so, >> >> $fwcmd add 00140 allow ip4 from $he_tun to me proto ipv6 >> $fwcmd add 00141 allow ip4 from me to $he_tun proto ipv6 >> >> should work for you. > > ericx> Yes, I'm trying to tunnel in ipv6 from HE. > > Okay. > > ericx> Really? I'm allowing ipv6 packets on the gif0 interface; but not on > ericx> the lan interface simply because I assumed that like IPSec the > ericx> encapsulated packets would not be seen as ipv6 on the ethernet > ericx> interface? > > Still, you need to allow an inner protocol number 41 to use an IPv6 > over IPv4 gif tunnel. An inner protocol number of an IPv6 over IPv4 > tunnel is 41 which is defined as `ipv6' in /etc/protocols. > The ipfw commands I mentioned in my previous mail should do it. > Please take notice that `ip4' is an outer protocol and an `ipv6' in a > proto option is treated as an inner protocol. > > Sincerely, > > -- > Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan > ume@mahoroba.org ume@{,jp.}FreeBSD.org > http://www.imasy.org/~ume/