Date: Thu, 17 Dec 2009 16:22:32 -0800 From: Freddie Cash <fjwcash@gmail.com> To: freebsd-ipfw@freebsd.org Subject: Re: Unified rc.firewall ipfw me/me6 issue Message-ID: <b269bc570912171622s5222b737i94a1164a0fc054fd@mail.gmail.com> In-Reply-To: <200912180045.53942.max@love2party.net> References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> <200912180045.53942.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 17, 2009 at 3:45 PM, Max Laier <max@love2party.net> wrote: > On Thursday 17 December 2009 08:20:47 David Horn wrote: > > Thanks for working on rc.firewall, as the old scenario of dualing > > rc.firewall/rc.firewall6 was not easily used in the default > configurations > > when running dual stack. The new rc.firewall has some very decent sane > > defaults. My testing so far as been concentrated on > > firewall_type="client", dual stack v4/v6 with SLAAC for IPv6, and DHCP > for > > IPv4. I will try some of the IPv6 tunnel scenarios later. > > > > I ran some tests against the now committed to -current /etc/rc.firewall, > > and think have found an issue. In every line that has the "me" token > > without the equivalent "me6" token, the command is only taking affect > for > > ipv4. > > > > For example: > > > > ${fwcmd} add pass udp from me to any 53 keep-state > > > > will allow dns requests from the client to pass, but if the destination > > host is ipv6, this rule does not work. Instead you need: > > > > ${fwcmd} add pass udp from { me or me6 } to any 53 keep-state > > > > The same issue exists for several other entries as well. (possible diff > > attached) The other option is to modify ipfw to actually have three > > different "me" tokens (me/me4/me6) where the new "me" token would match > > both ipv4 and ipv6 local interface addresses. Currently "me" matches > only > > ipv4 addresses on my amd64 -current box. > > The problem with this approach is and has been that it would change the > meaning of "me". IIRC, it was considered a POLA violation to do that back > when the IPv6 functionality was merged. An alternative would be to > introduce a > new name for me when we don't care which address family - e.g. me_any, > mine, > me64, me12, ... pick your color. > > But it doesn't change the meaning of "me". "me" is any IP address configured on any interface. In that sense, there shouldn't be any differentiation between IPv4 and IPv6, since both are IP. If we wanted to be pedantic and keep things consistent, then why isn't there an "any6" keyword? ;) "me" should be any IP address configured on any interface, regardless of IP version. "me4" should be any IPv4 address configured on any interface. "me6" should be any IPv6 address configured on any interface. Having just "me" and "me6" is inconsistent and illogical, Jim. ;) -- Freddie Cash fjwcash@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b269bc570912171622s5222b737i94a1164a0fc054fd>