From owner-freebsd-stable@FreeBSD.ORG  Mon Feb 24 13:58:10 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 3378B85B
 for <freebsd-stable@freebsd.org>; Mon, 24 Feb 2014 13:58:07 +0000 (UTC)
Received: from mail-ig0-x232.google.com (mail-ig0-x232.google.com
 [IPv6:2607:f8b0:4001:c05::232])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7794218E0
 for <freebsd-stable@freebsd.org>; Mon, 24 Feb 2014 13:58:07 +0000 (UTC)
Received: by mail-ig0-f178.google.com with SMTP id h18so4670833igc.5
 for <freebsd-stable@freebsd.org>; Mon, 24 Feb 2014 05:58:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=from:content-type:content-transfer-encoding:subject:message-id:date
 :to:mime-version;
 bh=KD6TRNu1I01aBgMLbzytyqmUCYT7W27SujBlNVGi4oo=;
 b=TIcYbsHgxSkf1KZY68+yZlrlLC7l1Cad9zSq/r1+5XViQrt5k43vm3bdR+tX05dtyx
 eaaLMMQ/MHfvTn68s/TUS3tHq3RP3HOZM808F9tagROs94Xtn6YeDIEpD/ftxRwJBQth
 pjTIIyPfOdh1Gh1jiYUun6dXeRsnzgV3lyUBho/C/32wo6mF52k4Oh1mqDTjjV+NTFyk
 jyPZrtP4MvjFriuFsaGk/qRLJ0TA8aT/LnitqtCklhsyXkK6ITNtHNFfa9MkFWt3bEOt
 ptlPH1lNrF7umUvze3ksjhLifhMOqEQTZQgh71reJnWRM+I1IbVEOrP9N2nF/wqPYhO0
 vmpw==
X-Received: by 10.50.37.205 with SMTP id a13mr13619320igk.41.1393250286114;
 Mon, 24 Feb 2014 05:58:06 -0800 (PST)
Received: from [140.254.161.141] ([140.254.161.141])
 by mx.google.com with ESMTPSA id c17sm26860328igo.4.2014.02.24.05.58.01
 for <freebsd-stable@freebsd.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Mon, 24 Feb 2014 05:58:02 -0800 (PST)
From: Jay Young <j1010y@gmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Subject: ipv6 and ipfilter on 10.0-RELEASE
Message-Id: <61186760-1AC1-43FB-9F11-989B57AD8754@gmail.com>
Date: Mon, 24 Feb 2014 08:58:00 -0500
To: freebsd-stable@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
X-Mailer: Apple Mail (2.1827)
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2014 13:58:10 -0000

I am running a 10.0-RELEASE system with the same ipfilter config that I =
have on many 9.2-RELEASE systems. When I look at my ipmon logs I see =
that both IPv4 and IPv6 packets are being blocked by the same rule =
@0:16. On my 9.2 systems the IPv6 rules are separate form the IPv4 =
rules. Do I need to change the ipfilter config in some way.? Also how to =
I tell which rules is being hit. The output if ipstat -ni and ipstat -6 =
-ni shows me the rule numbers like the 9.2 box. I only have two blocking =
rules @6 for ipv6 and @10 for ipv4. Also wondering why the icmp6 traffic =
is being blocked at all since it is allowed in the inet6 rule.

Thanks,
Jay=20

Feb 24 08:02:32 xxxx ipmon[2208]: 08:02:32.654562 bge0 @0:16 b =
xxxx::xxxx:xxxx:xxxx:xxxx -> ff02::1 PR icmpv6 len 40 104 icmpv6 =
routeradvert/0 IN multicast
Feb 24 08:02:32 xxxx ipmon[2208]: 08:02:32.654562 bge0 @0:16 b =
xxxx::xxxx:xxxx:xxxx:xxxx -> ff02::1 PR icmpv6 len 40 104 icmpv6 =
routeradvert/0 IN multicast
Feb 24 08:02:33 xxxx ipmon[2208]: 08:02:33.675609 bge0 @0:16 b =
xxx.xxx.xxx.xxx,0 -> xxx.xxx.xxx.xxx,123 PR udp len 20 76 IN low-ttl bad =
broadcast
Feb 24 08:02:33 xxxx ipmon[2208]: 08:02:33.675609 bge0 @0:16 b =
xxx.xxx.xxx.xxx,0 -> xxx.xxx.xxx.xxx,123 PR udp len 20 76 IN low-ttl bad =
broadcast

#ipfstat -6 -ni
@1 pass in quick on lo0 inet6 all
@2 pass in quick inet6 proto ipv6-icmp from any to any keep state
@3 pass in quick inet6 proto tcp from xxxx:xxxx:xxxx:xxxx::/64 to any =
port =3D ssh keep state
@4 pass in quick inet6 proto tcp from any to any port =3D smtp keep =
state
@5 pass in quick inet6 proto udp from xxxx:xxxx:xxxx::/48 to any port =3D =
ntp keep state
@6 block in log first inet6 all
#sudo ipfstat -ni
@1 pass in quick on lo0 inet all
@2 pass in quick inet proto icmp from any to any keep state
@3 pass in quick inet proto igmp from any to any keep state
@4 pass in quick inet proto tcp from xxx.xxx.xxx.xxx/24 to any port =3D =
ssh keep state
@5 pass in quick inet proto tcp from xxx.xxx.xxx.xxx/32 to any port =3D =
ssh keep state
@6 pass in quick inet proto tcp from xxx.xxx.xxx.xxx/32 to any port =3D =
ssh keep state
@7 pass in quick inet proto tcp from any to any port =3D smtp keep state
@8 pass in quick inet proto udp from xxx.xxx.xxx.xxx/24 to any port =3D =
ntp keep state
@9 pass in quick inet proto tcp from any to any port =3D snpp keep state
@10 block in log first inet all

=20=