From owner-freebsd-stable Sun Oct 14 23:43:32 2001 Delivered-To: freebsd-stable@freebsd.org Received: from smtp.sw.oz.au (smtp.sw.oz.au [203.31.96.1]) by hub.freebsd.org (Postfix) with ESMTP id 9939E37B407 for ; Sun, 14 Oct 2001 23:43:28 -0700 (PDT) Received: (from vance@localhost) by smtp.sw.oz.au (8.8.8+Sun/8.8.8) id QAA03040; Mon, 15 Oct 2001 16:43:21 +1000 (EST) Date: Mon, 15 Oct 2001 16:43:21 +1000 From: Christopher Vance To: =?iso-8859-1?Q?R=E9mi_Guyomarch?= Cc: freebsd-stable@FreeBSD.ORG, ipfilter@coombs.anu.edu.au Subject: Re: ipfilter ipv6 Message-ID: <20011015164320.A24890@aurema.com> References: <20011014232019.A29012@aurema.com> <20011014152203.O69352-100000@darkwing.turbo.net> <20011014201557.C93723@diabolic-cow.chatgris.net> <20011015075708.B29012@aurema.com> <20011015005237.D93723@diabolic-cow.chatgris.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20011015005237.D93723@diabolic-cow.chatgris.net>; from rguyom@pobox.com on Mon, Oct 15, 2001 at 12:52:37AM +0200 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Oct 15, 2001 at 12:52:37AM +0200, Rémi Guyomarch wrote: : > Is that a judgement made by ipfilter people on what it does on FreeBSD, : > or by FreeBSD people on what ipfilter does/doesn't do? : : Neither :) : I tested IPFilter 3.4.x against IPv6 sometimes ago on OpenBSD and it : wasn't ready. Situation might have evolved, this is why I wrote "I may : be wrong". I'm told that ipfilter/ipv6 on OpenBSD 2.9 doesn't work. OpenBSD 3.0 has removed ipf and replaced it with a new pf thingy. As a new implementation, it's probably not up to scratch yet, although it does let me specify ipv6 addresses in the same rule set as ipv4 ones and looks promising on the outside. :-) : > It looks to me that the default compile of ipfilter on FreeBSD 4-S : > turns off the -6 option and the USE_INET6 cpp define, and removes : > mention of -6 from the manual pages. Seems like someone went to some : > effort to remove it, and I was wondering why, and whether it was : > easier to put back in. I was wrong about the manual pages; my ipf(8) was shadowed by an older ipf(1), presumably from before the move to contrib, and maybe before the move to /sbin (I don't know which order this happened in). ipf(8) does mention -6, and ipf -6 gives you a usage message, but from the source code it doesn't actually seem to do anything beyond this. There's no -6 in ipfstat, which presumably says something... The code for doing ipv6 in ipfilter is protected by #ifdef USE_INET6, and in FreeBSD 4.4-stable, that never seems to be #define'd or CFLAGS+=-D'd. (I did a grep over all of /usr/src.) : Well, there's one thing to consider : the FreeBSD commiter of IPFilter : is IPFilter's author itself, Darren Reed. And it seems he choose to : not enable IPv6 filtering. He should have good reasons to do so. Is NetBSD any different? I was told it uses ipf for ipv6, but it also seems to have an older version. Perhaps it's like OpenBSD <= 2.9 where the bits seem to be there but don't necessarily do what's promised. : But you could add the right define in a few Makefiles, recompile : everything and test yourself :) I tried it, and it didn't seem very useful. I'm not confident I did everything right, so this could be driver error. If I knew NetBSD's ipfilter worked right, I'd probably change my firewall OS, even though I'm happy with FreeBSD for the desktop. Otherwise, I guess I'll continue with ip6fw, or fiddle with ipfilter, but without confidence - and take better pains to ensure I've done it right. -- Christopher Vance To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message