From owner-freebsd-stable Mon Oct 15 0:29:21 2001 Delivered-To: freebsd-stable@freebsd.org Received: from rollcage.bl.echidna.id.au (rollcage.bl.echidna.id.au [203.6.241.134]) by hub.freebsd.org (Postfix) with ESMTP id 0EB2737B403 for ; Mon, 15 Oct 2001 00:29:15 -0700 (PDT) Received: from rollcage.bl.echidna.id.au (localhost [IPv6:::1]) by rollcage.bl.echidna.id.au (8.12.1/8.12.1) with ESMTP id f9F7T81Y028744; Mon, 15 Oct 2001 17:29:08 +1000 (EST) Received: (from carl@localhost) by rollcage.bl.echidna.id.au (8.12.1/8.12.0.Beta10) id f9F7T5ts028741; Mon, 15 Oct 2001 17:29:05 +1000 (EST) Date: Mon, 15 Oct 2001 17:29:05 +1000 (EST) Message-Id: <200110150729.f9F7T5ts028741@rollcage.bl.echidna.id.au> From: carl@bl.echidna.id.au To: rguyom@pobox.com, vance@aurema.com Cc: freebsd-stable@FreeBSD.ORG, ipfilter@coombs.anu.edu.au Subject: Re: ipfilter ipv6 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > From: Christopher Vance > > : Well, there's one thing to consider : the FreeBSD commiter of IPFilter > : is IPFilter's author itself, Darren Reed. And it seems he choose to > : not enable IPv6 filtering. He should have good reasons to do so. > > Is NetBSD any different? I was told it uses ipf for ipv6, but it also > seems to have an older version. Perhaps it's like OpenBSD <= 2.9 > where the bits seem to be there but don't necessarily do what's > promised. I haven't actually tested it yet, but a vanilla 1.5.3alpha build says : (this is just a copy of my OpenBSD (not working!) ruleset) twat# ipfstat -6 -io pass out quick on rtk1 proto tcp from any to 3ffe:8001:5:2:a00:20ff:fe18:a87d/128 port = 25 keep state pass out quick on rtk1 proto tcp from any to 3ffe:8001:5:2:a00:20ff:fe18:a87d/128 port = 113 keep state pass out quick on rtk1 proto tcp from any to 3ffe:8001:5:2:a00:20ff:fe18:a87d/128 port = 22 keep state pass out quick on rtk1 proto tcp from 3ffe:8001:5::/48 to any port = 123 pass out quick on rtk1 proto udp from 3ffe:8001:5::/48 to any port = 123 pass out quick on lo0 from any to any pass in quick proto tcp from any to any port = 53 keep state pass in quick proto udp from any to any port = 53 keep state pass in quick on rtk1 proto tcp from 3ffe:8001:5::/48 to any keep state pass in quick on rtk1 proto udp from 3ffe:8001:5::/48 to any keep state pass in quick on rtk1 proto ipv6-icmp from 3ffe:8001:5::/48 to any keep state pass in quick on lo0 from any to any block in log quick from any to any > If I knew NetBSD's ipfilter worked right, I'd probably change my > firewall OS, even though I'm happy with FreeBSD for the desktop. I'm pretty sure it works. I haven't had to recompile anything to get the above. No live rules yet though, just the dummies above. Carl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message