From owner-freebsd-stable Sun Oct 14 11:16:30 2001 Delivered-To: freebsd-stable@freebsd.org Received: from smtp2.cluster.oleane.net (smtp2.cluster.oleane.net [195.25.12.17]) by hub.freebsd.org (Postfix) with ESMTP id 65DE837B40A for ; Sun, 14 Oct 2001 11:16:24 -0700 (PDT) Received: from diabolic-cow.chatgris.net (c2ce77f8.fsp.oleane.fr [194.206.119.248]) by smtp2.cluster.oleane.net with ESMTP id f9EIGLE51071 for ; Sun, 14 Oct 2001 20:16:22 +0200 (CEST) Received: by diabolic-cow.chatgris.net (Postfix, from userid 1000) id C4F7C1D3; Sun, 14 Oct 2001 20:15:57 +0200 (CEST) Date: Sun, 14 Oct 2001 20:15:57 +0200 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= To: freebsd-stable@freebsd.org Subject: Re: ipfilter ipv6 Message-ID: <20011014201557.C93723@diabolic-cow.chatgris.net> References: <20011014232019.A29012@aurema.com> <20011014152203.O69352-100000@darkwing.turbo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20011014152203.O69352-100000@darkwing.turbo.net>; from turbo@lamering.org on Sun, Oct 14, 2001 at 03:26:27PM +0200 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Oct 14, 2001 at 03:26:27PM +0200, Henrik Holmstam wrote: > > On Sun, 14 Oct 2001, Christopher Vance wrote: > > > Is there any reason why FreeBSD ipfilter is compiled without ipv6? > > Does it not work, or is nobody FreeBSDish interested? I don't think IPFilter is IPv6-ready. There's some support but I don't think it's stable or tested enough at this point. I may be wrong. > > I'd prefer something to keep state, so ip6fw isn't quite what I want. > > Is it? I'm using default IPFilter on FreeBSD 4.4-STABLE with ipv6 and it > works just fine. I'm keeping state and have rules with 'proto ipv6' with > no problems. "ipv6" in this context means "v6 in v4". It means you're filtering IPv6 packets based on the IPv4 tunnel end-point address, which is better than nothing but still far from ideal. IPFilter compiled with IPv6 support needs *two* different set of rules. One for v4 and one for v6. The v6 set is managed with "ipf -6" instead of "ipf". See ipf(1) : OPTIONS -6 This option is required to parse IPv6 rules and to have them loaded. -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message