From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 17 23:58:32 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12395106566B for ; Thu, 17 Dec 2009 23:58:32 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 9B48C8FC17 for ; Thu, 17 Dec 2009 23:58:31 +0000 (UTC) Received: from vampire.homelinux.org (dslb-088-067-230-017.pools.arcor-ip.net [88.67.230.17]) by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis) id 0LdIgf-1NlzPu14hl-00i0Fg; Fri, 18 Dec 2009 00:45:55 +0100 Received: (qmail 40999 invoked from network); 17 Dec 2009 23:45:54 -0000 Received: from f8x64.laiers.local (192.168.4.188) by ns1.laiers.local with SMTP; 17 Dec 2009 23:45:54 -0000 From: Max Laier Organization: FreeBSD To: freebsd-ipfw@freebsd.org Date: Fri, 18 Dec 2009 00:45:53 +0100 User-Agent: KMail/1.12.4 (FreeBSD/8.0-RELEASE; KDE/4.3.4; amd64; ; ) References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> In-Reply-To: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <200912180045.53942.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+zHpCsw0bPpVAslA3Dig4/WjOQy4+HvUpZo+4 Rsg/yvG4kYYI1Rdv41si3sjmVP6mtM6Yb36diwHqOpfZmBZfIL SDdP3M23sK4lfmb6TsVTw== Cc: David Horn , Hajimu UMEMOTO Subject: Re: Unified rc.firewall ipfw me/me6 issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Dec 2009 23:58:32 -0000 On Thursday 17 December 2009 08:20:47 David Horn wrote: > Hajimu -- > > Thanks for working on rc.firewall, as the old scenario of dualing > rc.firewall/rc.firewall6 was not easily used in the default configurations > when running dual stack. The new rc.firewall has some very decent sane > defaults. My testing so far as been concentrated on > firewall_type="client", dual stack v4/v6 with SLAAC for IPv6, and DHCP for > IPv4. I will try some of the IPv6 tunnel scenarios later. > > I ran some tests against the now committed to -current /etc/rc.firewall, > and think have found an issue. In every line that has the "me" token > without the equivalent "me6" token, the command is only taking affect for > ipv4. > > For example: > > ${fwcmd} add pass udp from me to any 53 keep-state > > will allow dns requests from the client to pass, but if the destination > host is ipv6, this rule does not work. Instead you need: > > ${fwcmd} add pass udp from { me or me6 } to any 53 keep-state > > The same issue exists for several other entries as well. (possible diff > attached) The other option is to modify ipfw to actually have three > different "me" tokens (me/me4/me6) where the new "me" token would match > both ipv4 and ipv6 local interface addresses. Currently "me" matches only > ipv4 addresses on my amd64 -current box. The problem with this approach is and has been that it would change the meaning of "me". IIRC, it was considered a POLA violation to do that back when the IPv6 functionality was merged. An alternative would be to introduce a new name for me when we don't care which address family - e.g. me_any, mine, me64, me12, ... pick your color. > Thoughts anyone? > > --Thanks! > > -_Dave Horn > > P.S., might also be nice to have an UPDATING entry for unified rc.firewall > > > !DSPAM:4b29e29a301561928620662! >