From owner-freebsd-stable@FreeBSD.ORG Fri Jan 30 00:38:33 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA03916A4CE for ; Fri, 30 Jan 2004 00:38:33 -0800 (PST) Received: from blackbyte.nl (d93139.upc-d.chello.nl [213.46.93.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACD4643D31 for ; Fri, 30 Jan 2004 00:38:16 -0800 (PST) (envelope-from crasp@blackbyte.nl) Received: from localhost (localhost [127.0.0.1]) by blackbyte.nl (Postfix) with ESMTP id DB80C3D2C for ; Fri, 30 Jan 2004 09:38:14 +0100 (CET) Received: by blackbyte.nl (Postfix, from userid 1000) id 6A1693D2A; Fri, 30 Jan 2004 09:38:08 +0100 (CET) Date: Fri, 30 Jan 2004 09:38:08 +0100 From: Jeroen Ubbink To: freebsd-stable@freebsd.org Message-ID: <20040130083808.GA60129@cartman.south-park> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Virus-Scanned: by AMaViS perl-11 Subject: IPF, IPv6 and a bridge X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jan 2004 08:38:34 -0000 Hello, I have built a VPN with some friends, we have all have a tap-device that handles data for the VPN. The tap-device is bridged to our local network interfaces. e.g.: net.link.ether.bridge_cfg: tap1,fxp0 net.link.ether.bridge: 1 net.link.ether.bridge_ipf: 1 Now some of my friends also have an IPv6 tunnel set up, just like me and are running rtadvd to give their internal network IPv6 addresses and routes. The point is that it goes across the entire VPN. So the hosts in my network get routes and IP's out of the prefixes of friends, which in most cases makes traffic with the outside world through IPv6 impossible. Now what i want my IPF to do is to block all the router advertisements coming in on tap1. Easier done than said. A simple rule: block in quick on tap1 all. Load it with ipf -6 and it works as a IPv6 rule. This works for the machine with the TAP device in it. It doesn't get an IP or a route from anybody else anymore, but it doesn't prevent the router advertisements from going to the rest of my hosts. I even tried to block ipv6-icmp and load it with the IPv4 rules, still the same. IPv4 however seems to block like a charm, blocking DHCP to prevent other hosts from getting an IP of my network or making sure my network doesn't get IP's from other networks seems to work fine. I'm lost. ipfw doesn't seem to block router advertisements on a bridge either. Is this just a problem with both those firewall tools or is it a problem in FreeBSD? thanks in advance, Jeroen Ubbink