From owner-freebsd-bugs@FreeBSD.ORG Tue Nov 8 14:50:24 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DA0D16A41F for ; Tue, 8 Nov 2005 14:50:24 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C70F143D72 for ; Tue, 8 Nov 2005 14:50:13 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jA8EoDwD038871 for ; Tue, 8 Nov 2005 14:50:13 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jA8EoDaf038870; Tue, 8 Nov 2005 14:50:13 GMT (envelope-from gnats) Resent-Date: Tue, 8 Nov 2005 14:50:13 GMT Resent-Message-Id: <200511081450.jA8EoDaf038870@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Jean-Yves Lefort Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AD2116A4D1 for ; Tue, 8 Nov 2005 14:42:55 +0000 (GMT) (envelope-from jylefort@brutele.be) Received: from 212.68.244.220.brutele.be (212.68.244.220.brutele.be [212.68.244.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01EE443D45 for ; Tue, 8 Nov 2005 14:42:54 +0000 (GMT) (envelope-from jylefort@brutele.be) Received: from jsite.lefort.net (jsite.lefort.net [192.168.1.2]) by gateway.lefort.net (Postfix) with ESMTP id 1BF1E552E for ; Tue, 8 Nov 2005 15:42:53 +0100 (CET) Received: by jsite.lefort.net (Postfix, from userid 1000) id C35C4C14F; Tue, 8 Nov 2005 15:42:52 +0100 (CET) Message-Id: <20051108144252.C35C4C14F@jsite.lefort.net> Date: Tue, 8 Nov 2005 15:42:52 +0100 (CET) From: Jean-Yves Lefort To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/88664: ipfw stateful firewalling broken with IPv6 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jean-Yves Lefort List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 14:50:24 -0000 >Number: 88664 >Category: kern >Synopsis: ipfw stateful firewalling broken with IPv6 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 08 14:50:13 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Jean-Yves Lefort >Release: FreeBSD 6.0-RELEASE i386 >Organization: >Environment: System: FreeBSD jsite.lefort.net 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Mon Nov 7 19:32:08 CET 2005 jylefort@jsite.lefort.net:/usr/obj/usr/src/sys/JSITE i386 >Description: # ipfw list 00100 allow ip4 from any to any proto esp src-ip 192.168.1.1 dst-ip 192.168.1.2 in 00200 allow ip4 from any to any proto esp src-ip 192.168.1.2 dst-ip 192.168.1.1 out 00300 allow ip6 from any to any proto ipv6-icmp 00400 allow ip6 from any to any proto tcp src-ip6 me6 out setup keep-state 00500 allow ip6 from any to any proto udp src-ip6 me6 out keep-state 00600 deny log logamount 36000 ip from any to any 65535 deny ip from any to any # telnet www.sixxs.net 80 Trying 2001:838:1:1:210:dcff:fe20:7c7c... ^C # tail /var/log/security | grep 2001: Nov 8 15:39:57 jsite kernel: ipfw: 600 Deny TCP [2001:0838:0001:0001:0210:dcff:fe20:7c7c]:80 [2001:0838:0339::0002]:58128 in via ed0 >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: