From owner-freebsd-net@FreeBSD.ORG Fri Apr 25 20:16:48 2008 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4DC8106564A for ; Fri, 25 Apr 2008 20:16:48 +0000 (UTC) (envelope-from tobias@netconsultoria.com.br) Received: from srv1.netconsultoria.com.br (srv1.netconsultoria.com.br [189.1.176.252]) by mx1.freebsd.org (Postfix) with ESMTP id 30A238FC1B for ; Fri, 25 Apr 2008 20:16:47 +0000 (UTC) (envelope-from tobias@netconsultoria.com.br) Received: from [172.16.16.100] (mailgw.ntelecom.com.br [189.1.176.249]) (authenticated bits=0) by srv1.netconsultoria.com.br (8.13.8/8.13.3) with ESMTP id m3PJmgNd031890; Fri, 25 Apr 2008 16:48:42 -0300 (BRT) (envelope-from tobias@netconsultoria.com.br) Message-ID: <4812359E.5040800@netconsultoria.com.br> Date: Fri, 25 Apr 2008 16:48:46 -0300 From: "Tobias P. Santos" User-Agent: Thunderbird 2.0.0.9 (X11/20071031) MIME-Version: 1.0 To: Kevin Oberman References: <20080425194337.AFB7245010@ptavv.es.net> In-Reply-To: <20080425194337.AFB7245010@ptavv.es.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.88.7/6938/Fri Apr 25 14:01:47 2008 on srv1.netconsultoria.com.br X-Virus-Status: Clean Cc: net@freebsd.org Subject: Re: ipfw can't be disabled for IPv56 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2008 20:16:48 -0000 Kevin Oberman wrote: > Running 7-STABLE of April 10, if I disable the firewall ('sysctl > net.inet.ip.fw.enable=0'), IPv4 traffic passes, but IPv6 will not. I had > to add a "allow ip from any to any" rule to get IPv6 to work pass > traffic. (Since I was accessing the system in question via IPv6, this > was a bit annoying!) > > Am I missing anything? The rc.subr script for ipfw just sets the sysctl I > did when it stops the firewall. # sysctl -a | grep fw net.inet.ip.fw.dyn_keepalive: 1 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.static_count: 8 net.inet.ip.fw.dyn_max: 4096 net.inet.ip.fw.dyn_count: 0 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.enable: 1 net.link.ether.ipfw: 0 net.inet6.ip6.fw.enable: 1 <------------ voila!!! net.inet6.ip6.fw.debug: 1 net.inet6.ip6.fw.verbose: 1 net.inet6.ip6.fw.verbose_limit: 0 net.inet6.ip6.fw.deny_unknown_exthdrs: 1