Date: Tue, 8 Nov 2005 15:42:52 +0100 (CET) From: Jean-Yves Lefort <jylefort@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/88664: ipfw stateful firewalling broken with IPv6 Message-ID: <20051108144252.C35C4C14F@jsite.lefort.net> Resent-Message-ID: <200511081450.jA8EoDaf038870@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 88664 >Category: kern >Synopsis: ipfw stateful firewalling broken with IPv6 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 08 14:50:13 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Jean-Yves Lefort >Release: FreeBSD 6.0-RELEASE i386 >Organization: >Environment: System: FreeBSD jsite.lefort.net 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Mon Nov 7 19:32:08 CET 2005 jylefort@jsite.lefort.net:/usr/obj/usr/src/sys/JSITE i386 >Description: # ipfw list 00100 allow ip4 from any to any proto esp src-ip 192.168.1.1 dst-ip 192.168.1.2 in 00200 allow ip4 from any to any proto esp src-ip 192.168.1.2 dst-ip 192.168.1.1 out 00300 allow ip6 from any to any proto ipv6-icmp 00400 allow ip6 from any to any proto tcp src-ip6 me6 out setup keep-state 00500 allow ip6 from any to any proto udp src-ip6 me6 out keep-state 00600 deny log logamount 36000 ip from any to any 65535 deny ip from any to any # telnet www.sixxs.net 80 Trying 2001:838:1:1:210:dcff:fe20:7c7c... ^C # tail /var/log/security | grep 2001: Nov 8 15:39:57 jsite kernel: ipfw: 600 Deny TCP [2001:0838:0001:0001:0210:dcff:fe20:7c7c]:80 [2001:0838:0339::0002]:58128 in via ed0 >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051108144252.C35C4C14F>