Date: Thu, 17 Dec 2009 02:20:47 -0500 From: David Horn <dhorn2000@gmail.com> To: Hajimu UMEMOTO <ume@freebsd.org>, freebsd-ipfw@freebsd.org Subject: Unified rc.firewall ipfw me/me6 issue Message-ID: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
--001485f78b4851964f047ae7768a
Content-Type: text/plain; charset=ISO-8859-1
Hajimu --
Thanks for working on rc.firewall, as the old scenario of dualing
rc.firewall/rc.firewall6 was not easily used in the default configurations
when running dual stack. The new rc.firewall has some very decent sane
defaults. My testing so far as been concentrated on firewall_type="client",
dual stack v4/v6 with SLAAC for IPv6, and DHCP for IPv4. I will try some of
the IPv6 tunnel scenarios later.
I ran some tests against the now committed to -current /etc/rc.firewall, and
think have found an issue. In every line that has the "me" token without
the equivalent "me6" token, the command is only taking affect for ipv4.
For example:
${fwcmd} add pass udp from me to any 53 keep-state
will allow dns requests from the client to pass, but if the destination host
is ipv6, this rule does not work. Instead you need:
${fwcmd} add pass udp from { me or me6 } to any 53 keep-state
The same issue exists for several other entries as well. (possible diff
attached) The other option is to modify ipfw to actually have three
different "me" tokens (me/me4/me6) where the new "me" token would match both
ipv4 and ipv6 local interface addresses. Currently "me" matches only ipv4
addresses on my amd64 -current box.
Thoughts anyone?
--Thanks!
-_Dave Horn
P.S., might also be nice to have an UPDATING entry for unified rc.firewall
--001485f78b4851964f047ae7768a
Content-Type: text/plain; charset=US-ASCII; name="rc.firewall.diff.txt"
Content-Disposition: attachment; filename="rc.firewall.diff.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_g3b693g00
SW5kZXg6IGV0Yy9yYy5maXJld2FsbAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBldGMvcmMuZmlyZXdhbGwJKHJl
dmlzaW9uIDIwMDYyMykKKysrIGV0Yy9yYy5maXJld2FsbAkod29ya2luZyBjb3B5KQpAQCAtMjI5
LDE5ICsyMjksMTkgQEAKIAkke2Z3Y21kfSBhZGQgcGFzcyBhbGwgZnJvbSBhbnkgdG8gYW55IGZy
YWcKIAogCSMgQWxsb3cgc2V0dXAgb2YgaW5jb21pbmcgZW1haWwKLQkke2Z3Y21kfSBhZGQgcGFz
cyB0Y3AgZnJvbSBhbnkgdG8gbWUgMjUgc2V0dXAKKwkke2Z3Y21kfSBhZGQgcGFzcyB0Y3AgZnJv
bSBhbnkgdG8geyBtZSBvciBtZTYgfSAyNSBzZXR1cAogCiAJIyBBbGxvdyBzZXR1cCBvZiBvdXRn
b2luZyBUQ1AgY29ubmVjdGlvbnMgb25seQotCSR7ZndjbWR9IGFkZCBwYXNzIHRjcCBmcm9tIG1l
IHRvIGFueSBzZXR1cAorCSR7ZndjbWR9IGFkZCBwYXNzIHRjcCBmcm9tIHsgbWUgb3IgbWU2IH0g
dG8gYW55IHNldHVwCiAKIAkjIERpc2FsbG93IHNldHVwIG9mIGFsbCBvdGhlciBUQ1AgY29ubmVj
dGlvbnMKIAkke2Z3Y21kfSBhZGQgZGVueSB0Y3AgZnJvbSBhbnkgdG8gYW55IHNldHVwCiAKIAkj
IEFsbG93IEROUyBxdWVyaWVzIG91dCBpbiB0aGUgd29ybGQKLQkke2Z3Y21kfSBhZGQgcGFzcyB1
ZHAgZnJvbSBtZSB0byBhbnkgNTMga2VlcC1zdGF0ZQorCSR7ZndjbWR9IGFkZCBwYXNzIHVkcCBm
cm9tIHsgbWUgb3IgbWU2IH0gdG8gYW55IDUzIGtlZXAtc3RhdGUKIAogCSMgQWxsb3cgTlRQIHF1
ZXJpZXMgb3V0IGluIHRoZSB3b3JsZAotCSR7ZndjbWR9IGFkZCBwYXNzIHVkcCBmcm9tIG1lIHRv
IGFueSAxMjMga2VlcC1zdGF0ZQorCSR7ZndjbWR9IGFkZCBwYXNzIHVkcCBmcm9tIHsgbWUgb3Ig
bWU2IH0gdG8gYW55IDEyMyBrZWVwLXN0YXRlCiAKIAkjIEV2ZXJ5dGhpbmcgZWxzZSBpcyBkZW5p
ZWQgYnkgZGVmYXVsdCwgdW5sZXNzIHRoZQogCSMgSVBGSVJFV0FMTF9ERUZBVUxUX1RPX0FDQ0VQ
VCBvcHRpb24gaXMgc2V0IGluIHlvdXIga2VybmVsCkBAIC0zODcsMTUgKzM4NywxNSBAQAogCSR7
ZndjbWR9IGFkZCBwYXNzIGFsbCBmcm9tIGFueSB0byBhbnkgZnJhZwogCiAJIyBBbGxvdyBzZXR1
cCBvZiBpbmNvbWluZyBlbWFpbAotCSR7ZndjbWR9IGFkZCBwYXNzIHRjcCBmcm9tIGFueSB0byBt
ZSAyNSBzZXR1cAorCSR7ZndjbWR9IGFkZCBwYXNzIHRjcCBmcm9tIGFueSB0byB7IG1lIG9yIG1l
NiB9IDI1IHNldHVwCiAKIAkjIEFsbG93IGFjY2VzcyB0byBvdXIgRE5TCi0JJHtmd2NtZH0gYWRk
IHBhc3MgdGNwIGZyb20gYW55IHRvIG1lIDUzIHNldHVwCi0JJHtmd2NtZH0gYWRkIHBhc3MgdWRw
IGZyb20gYW55IHRvIG1lIDUzCi0JJHtmd2NtZH0gYWRkIHBhc3MgdWRwIGZyb20gbWUgNTMgdG8g
YW55CisJJHtmd2NtZH0gYWRkIHBhc3MgdGNwIGZyb20gYW55IHRvIHsgbWUgb3IgbWU2IH0gNTMg
c2V0dXAKKwkke2Z3Y21kfSBhZGQgcGFzcyB1ZHAgZnJvbSBhbnkgdG8geyBtZSBvciBtZTYgfSA1
MworCSR7ZndjbWR9IGFkZCBwYXNzIHVkcCBmcm9tIHsgbWUgb3IgbWU2IH0gNTMgdG8gYW55CiAK
IAkjIEFsbG93IGFjY2VzcyB0byBvdXIgV1dXCi0JJHtmd2NtZH0gYWRkIHBhc3MgdGNwIGZyb20g
YW55IHRvIG1lIDgwIHNldHVwCisJJHtmd2NtZH0gYWRkIHBhc3MgdGNwIGZyb20gYW55IHRvIHsg
bWUgb3IgbWU2IH0gODAgc2V0dXAKIAogCSMgUmVqZWN0JkxvZyBhbGwgc2V0dXAgb2YgaW5jb21p
bmcgY29ubmVjdGlvbnMgZnJvbSB0aGUgb3V0c2lkZQogCSR7ZndjbWR9IGFkZCBkZW55IGxvZyBp
cDQgZnJvbSBhbnkgdG8gYW55IGluIHZpYSAke29pZn0gc2V0dXAgcHJvdG8gdGNwCkBAIC00MDgs
MTAgKzQwOCwxMCBAQAogCSR7ZndjbWR9IGFkZCBwYXNzIHRjcCBmcm9tIGFueSB0byBhbnkgc2V0
dXAKIAogCSMgQWxsb3cgRE5TIHF1ZXJpZXMgb3V0IGluIHRoZSB3b3JsZAotCSR7ZndjbWR9IGFk
ZCBwYXNzIHVkcCBmcm9tIG1lIHRvIGFueSA1MyBrZWVwLXN0YXRlCisJJHtmd2NtZH0gYWRkIHBh
c3MgdWRwIGZyb20geyBtZSBvciBtZTYgfSB0byBhbnkgNTMga2VlcC1zdGF0ZQogCiAJIyBBbGxv
dyBOVFAgcXVlcmllcyBvdXQgaW4gdGhlIHdvcmxkCi0JJHtmd2NtZH0gYWRkIHBhc3MgdWRwIGZy
b20gbWUgdG8gYW55IDEyMyBrZWVwLXN0YXRlCisJJHtmd2NtZH0gYWRkIHBhc3MgdWRwIGZyb20g
eyBtZSBvciBtZTYgfSB0byBhbnkgMTIzIGtlZXAtc3RhdGUKIAogCSMgRXZlcnl0aGluZyBlbHNl
IGlzIGRlbmllZCBieSBkZWZhdWx0LCB1bmxlc3MgdGhlCiAJIyBJUEZJUkVXQUxMX0RFRkFVTFRf
VE9fQUNDRVBUIG9wdGlvbiBpcyBzZXQgaW4geW91ciBrZXJuZWwK
--001485f78b4851964f047ae7768a--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?25ff90d60912162320y286e37a0ufeb64397716d8c18>