From owner-freebsd-current  Fri Jul  6  6:59:15 2001
Delivered-To: freebsd-current@freebsd.org
Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97])
	by hub.freebsd.org (Postfix) with ESMTP id E995137B403
	for <current@freebsd.org>; Fri,  6 Jul 2001 06:59:11 -0700 (PDT)
	(envelope-from ncbp@bank-pedersen.dk)
Received: by freesbee.wheel.dk (Postfix, from userid 1002)
	id 86CEA5D8A; Fri,  6 Jul 2001 15:59:10 +0200 (CEST)
Date: Fri, 6 Jul 2001 15:59:10 +0200
From: "Niels Chr. Bank-Pedersen" <ncbp@bank-pedersen.dk>
To: current@freebsd.org
Subject: Re: ipfilter+ipv6 - what am I missing?
Message-ID: <20010706155910.F770@bank-pedersen.dk>
Mail-Followup-To: "Niels Chr. Bank-Pedersen" <ncbp@bank-pedersen.dk>,
	current@freebsd.org
References: <20010701142120.C770@bank-pedersen.dk> <005701c10256$d5361960$6503c23f@XGforce.com> <20010701213327.O17514@speedy.gsinet>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010701213327.O17514@speedy.gsinet>; from Gerhard.Sittig@gmx.net on Sun, Jul 01, 2001 at 09:33:27PM +0200
X-PGP-Fingerprint: 18D0 73F3 767F 3A40 CEBA  C595 4783 D7F5 5DD1 FB8C
X-PGP-Public-Key: http://freesbee.wheel.dk/~ncbp/gpgkey.pub
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

On Sun, Jul 01, 2001 at 09:33:27PM +0200, Gerhard Sittig wrote:
> On Sun, Jul 01, 2001 at 10:54 -0700, matt wrote:
> > 
> > I don't think ipf is complete in its ipv6 support yet.You can
> > use ipfw instead.
> 
> Ipf has been supporting IPv6 for quite some time.  It's just that
> one has to enable this support in the Makefile.
> 
> $ grep INET6 contrib/ipfilter/Makefile
> #INET6=-DUSE_INET6
> MFLAGS1='CFLAGS=$(CFLAGS) $(ARCHINC) $(SOLARIS2) $(INET6)' \
>   [ ... ]

Thanks for the pointer - hadn't seen that (makes me wonder if we
need a general ipv6 switch in /etc/defaults/make.conf?).
Unfortunately I still can't convince ifilter to notice/block
ipv6 packets :-(

> And ISTR that one has to add "-6" to the ipf(8) invocation
> options (like, in /etc/rc.conf).

Yup, went there, did that - the following is taken from an
ipv6 telnet session going throug the firewall (after make
world with INET6=-DUSE_INET6):

bm# ipfstat -6io
block out quick on xl0 from any to any
block out quick on vx0 from any to any
block in quick on xl0 from any to any
block in quick on vx0 from any to any
bm# ipfstat -6
 IPv6 packets:          in 0 out 0
[..]


/Niels Chr.

-- 
 Niels Christian Bank-Pedersen, NCB1-RIPE.
 Network Manager, TDC, IP-section.

 "Hey, are any of you guys out there actually *using* RFC 2549?"

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message