Date: Mon, 24 Feb 2014 08:58:00 -0500 From: Jay Young <j1010y@gmail.com> To: freebsd-stable@freebsd.org Subject: ipv6 and ipfilter on 10.0-RELEASE Message-ID: <61186760-1AC1-43FB-9F11-989B57AD8754@gmail.com>
next in thread | raw e-mail | index | archive | help
I am running a 10.0-RELEASE system with the same ipfilter config that I = have on many 9.2-RELEASE systems. When I look at my ipmon logs I see = that both IPv4 and IPv6 packets are being blocked by the same rule = @0:16. On my 9.2 systems the IPv6 rules are separate form the IPv4 = rules. Do I need to change the ipfilter config in some way.? Also how to = I tell which rules is being hit. The output if ipstat -ni and ipstat -6 = -ni shows me the rule numbers like the 9.2 box. I only have two blocking = rules @6 for ipv6 and @10 for ipv4. Also wondering why the icmp6 traffic = is being blocked at all since it is allowed in the inet6 rule. Thanks, Jay=20 Feb 24 08:02:32 xxxx ipmon[2208]: 08:02:32.654562 bge0 @0:16 b = xxxx::xxxx:xxxx:xxxx:xxxx -> ff02::1 PR icmpv6 len 40 104 icmpv6 = routeradvert/0 IN multicast Feb 24 08:02:32 xxxx ipmon[2208]: 08:02:32.654562 bge0 @0:16 b = xxxx::xxxx:xxxx:xxxx:xxxx -> ff02::1 PR icmpv6 len 40 104 icmpv6 = routeradvert/0 IN multicast Feb 24 08:02:33 xxxx ipmon[2208]: 08:02:33.675609 bge0 @0:16 b = xxx.xxx.xxx.xxx,0 -> xxx.xxx.xxx.xxx,123 PR udp len 20 76 IN low-ttl bad = broadcast Feb 24 08:02:33 xxxx ipmon[2208]: 08:02:33.675609 bge0 @0:16 b = xxx.xxx.xxx.xxx,0 -> xxx.xxx.xxx.xxx,123 PR udp len 20 76 IN low-ttl bad = broadcast #ipfstat -6 -ni @1 pass in quick on lo0 inet6 all @2 pass in quick inet6 proto ipv6-icmp from any to any keep state @3 pass in quick inet6 proto tcp from xxxx:xxxx:xxxx:xxxx::/64 to any = port =3D ssh keep state @4 pass in quick inet6 proto tcp from any to any port =3D smtp keep = state @5 pass in quick inet6 proto udp from xxxx:xxxx:xxxx::/48 to any port =3D = ntp keep state @6 block in log first inet6 all #sudo ipfstat -ni @1 pass in quick on lo0 inet all @2 pass in quick inet proto icmp from any to any keep state @3 pass in quick inet proto igmp from any to any keep state @4 pass in quick inet proto tcp from xxx.xxx.xxx.xxx/24 to any port =3D = ssh keep state @5 pass in quick inet proto tcp from xxx.xxx.xxx.xxx/32 to any port =3D = ssh keep state @6 pass in quick inet proto tcp from xxx.xxx.xxx.xxx/32 to any port =3D = ssh keep state @7 pass in quick inet proto tcp from any to any port =3D smtp keep state @8 pass in quick inet proto udp from xxx.xxx.xxx.xxx/24 to any port =3D = ntp keep state @9 pass in quick inet proto tcp from any to any port =3D snpp keep state @10 block in log first inet all =20=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?61186760-1AC1-43FB-9F11-989B57AD8754>