From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 18 00:22:33 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34D1910656AE for ; Fri, 18 Dec 2009 00:22:33 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-pz0-f185.google.com (mail-pz0-f185.google.com [209.85.222.185]) by mx1.freebsd.org (Postfix) with ESMTP id 0A5058FC22 for ; Fri, 18 Dec 2009 00:22:32 +0000 (UTC) Received: by pzk15 with SMTP id 15so1770339pzk.3 for ; Thu, 17 Dec 2009 16:22:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=Whg3g0s1LJwZrgRDHjlhOQWPx8lP79zVt8HZJ4L7pn8=; b=LXpBXcyBghNi7OusaJesI0MEsf0D0bwaiXflNqCyuNpXQAsD3LbbW6fj7EUnqtTmYi S17l3w4kstaC9EBvvEpFuOsQZl1/l4bAhjg+Hp9KsPu8MhNJXQMirpvFVuLA8T+UaXA6 4lSGDJBQGz721UlRqexA98ODY4OfQVFJrRVGc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=mnn7VywBhFUy5oSI0Y+8piJFcsuN48lqlozQKCe8jz6H0EjR2tDpxF6ZVFo3I9ieD+ 0w1JTwslkpWxTxowgxWkq01O/Qr7sL5E2Ngb9vLVVBszwUW2McXL5mMMV/qciIjrPMWE eKBvGKdzSaHAs/tKuL1Nji8rsPwcfggv8bng8= MIME-Version: 1.0 Received: by 10.143.154.33 with SMTP id g33mr2081110wfo.300.1261095752262; Thu, 17 Dec 2009 16:22:32 -0800 (PST) In-Reply-To: <200912180045.53942.max@love2party.net> References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> <200912180045.53942.max@love2party.net> Date: Thu, 17 Dec 2009 16:22:32 -0800 Message-ID: From: Freddie Cash To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Unified rc.firewall ipfw me/me6 issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2009 00:22:33 -0000 On Thu, Dec 17, 2009 at 3:45 PM, Max Laier wrote: > On Thursday 17 December 2009 08:20:47 David Horn wrote: > > Thanks for working on rc.firewall, as the old scenario of dualing > > rc.firewall/rc.firewall6 was not easily used in the default > configurations > > when running dual stack. The new rc.firewall has some very decent sane > > defaults. My testing so far as been concentrated on > > firewall_type="client", dual stack v4/v6 with SLAAC for IPv6, and DHCP > for > > IPv4. I will try some of the IPv6 tunnel scenarios later. > > > > I ran some tests against the now committed to -current /etc/rc.firewall, > > and think have found an issue. In every line that has the "me" token > > without the equivalent "me6" token, the command is only taking affect > for > > ipv4. > > > > For example: > > > > ${fwcmd} add pass udp from me to any 53 keep-state > > > > will allow dns requests from the client to pass, but if the destination > > host is ipv6, this rule does not work. Instead you need: > > > > ${fwcmd} add pass udp from { me or me6 } to any 53 keep-state > > > > The same issue exists for several other entries as well. (possible diff > > attached) The other option is to modify ipfw to actually have three > > different "me" tokens (me/me4/me6) where the new "me" token would match > > both ipv4 and ipv6 local interface addresses. Currently "me" matches > only > > ipv4 addresses on my amd64 -current box. > > The problem with this approach is and has been that it would change the > meaning of "me". IIRC, it was considered a POLA violation to do that back > when the IPv6 functionality was merged. An alternative would be to > introduce a > new name for me when we don't care which address family - e.g. me_any, > mine, > me64, me12, ... pick your color. > > But it doesn't change the meaning of "me". "me" is any IP address configured on any interface. In that sense, there shouldn't be any differentiation between IPv4 and IPv6, since both are IP. If we wanted to be pedantic and keep things consistent, then why isn't there an "any6" keyword? ;) "me" should be any IP address configured on any interface, regardless of IP version. "me4" should be any IPv4 address configured on any interface. "me6" should be any IPv6 address configured on any interface. Having just "me" and "me6" is inconsistent and illogical, Jim. ;) -- Freddie Cash fjwcash@gmail.com