From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 17 07:49:18 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D19181065672; Thu, 17 Dec 2009 07:49:18 +0000 (UTC) (envelope-from dhorn2000@gmail.com) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id 35B1F8FC14; Thu, 17 Dec 2009 07:49:17 +0000 (UTC) Received: by fxm27 with SMTP id 27so1671420fxm.3 for ; Wed, 16 Dec 2009 23:49:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=uNQQy5JqI86IK7raVSQOhvqyPLJStrhAMrAEyg8JWzo=; b=TAwyecXX1QFUP7l74HqppAj59qyKU7YECUNrMqOFEPK5YcpbKguH625i7ZOJtdn7o1 IhiUF5MWwULm7fhNt0qiUZ9Ol0CWp7bi9aLaeMZx+5EsF/eqcumDZD/6xLAR2L/ejyeM ycwU3QpzvT9vlnJcjwO8Puwo6BEAaiSYwEdKk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=ai5dJhX+Qtq/yVb0KaQnx4WZnO1+b0cb2H7SRR9ccztpXamD1FvbvOlomP46Uwq9CN rNwNjPvKZ1g7Ije7NkmA6oIpCU1k+eNMIN1HZ8zy6Emc6KlEFFKIdsi3ZN6aDCVrzL/y jRn/zIH9IE2aib1OOXz90S+0EjN5j1jVhsXH8= MIME-Version: 1.0 Received: by 10.239.138.13 with SMTP id n13mr214225hbn.9.1261034447934; Wed, 16 Dec 2009 23:20:47 -0800 (PST) Date: Thu, 17 Dec 2009 02:20:47 -0500 Message-ID: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> From: David Horn To: Hajimu UMEMOTO , freebsd-ipfw@freebsd.org Content-Type: multipart/mixed; boundary=001485f78b4851964f047ae7768a X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Unified rc.firewall ipfw me/me6 issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Dec 2009 07:49:18 -0000 --001485f78b4851964f047ae7768a Content-Type: text/plain; charset=ISO-8859-1 Hajimu -- Thanks for working on rc.firewall, as the old scenario of dualing rc.firewall/rc.firewall6 was not easily used in the default configurations when running dual stack. The new rc.firewall has some very decent sane defaults. My testing so far as been concentrated on firewall_type="client", dual stack v4/v6 with SLAAC for IPv6, and DHCP for IPv4. I will try some of the IPv6 tunnel scenarios later. I ran some tests against the now committed to -current /etc/rc.firewall, and think have found an issue. In every line that has the "me" token without the equivalent "me6" token, the command is only taking affect for ipv4. For example: ${fwcmd} add pass udp from me to any 53 keep-state will allow dns requests from the client to pass, but if the destination host is ipv6, this rule does not work. Instead you need: ${fwcmd} add pass udp from { me or me6 } to any 53 keep-state The same issue exists for several other entries as well. (possible diff attached) The other option is to modify ipfw to actually have three different "me" tokens (me/me4/me6) where the new "me" token would match both ipv4 and ipv6 local interface addresses. Currently "me" matches only ipv4 addresses on my amd64 -current box. Thoughts anyone? --Thanks! -_Dave Horn P.S., might also be nice to have an UPDATING entry for unified rc.firewall --001485f78b4851964f047ae7768a Content-Type: text/plain; charset=US-ASCII; name="rc.firewall.diff.txt" Content-Disposition: attachment; filename="rc.firewall.diff.txt" Content-Transfer-Encoding: base64 X-Attachment-Id: f_g3b693g00 SW5kZXg6IGV0Yy9yYy5maXJld2FsbAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBldGMvcmMuZmlyZXdhbGwJKHJl dmlzaW9uIDIwMDYyMykKKysrIGV0Yy9yYy5maXJld2FsbAkod29ya2luZyBjb3B5KQpAQCAtMjI5 LDE5ICsyMjksMTkgQEAKIAkke2Z3Y21kfSBhZGQgcGFzcyBhbGwgZnJvbSBhbnkgdG8gYW55IGZy YWcKIAogCSMgQWxsb3cgc2V0dXAgb2YgaW5jb21pbmcgZW1haWwKLQkke2Z3Y21kfSBhZGQgcGFz cyB0Y3AgZnJvbSBhbnkgdG8gbWUgMjUgc2V0dXAKKwkke2Z3Y21kfSBhZGQgcGFzcyB0Y3AgZnJv bSBhbnkgdG8geyBtZSBvciBtZTYgfSAyNSBzZXR1cAogCiAJIyBBbGxvdyBzZXR1cCBvZiBvdXRn b2luZyBUQ1AgY29ubmVjdGlvbnMgb25seQotCSR7ZndjbWR9IGFkZCBwYXNzIHRjcCBmcm9tIG1l IHRvIGFueSBzZXR1cAorCSR7ZndjbWR9IGFkZCBwYXNzIHRjcCBmcm9tIHsgbWUgb3IgbWU2IH0g dG8gYW55IHNldHVwCiAKIAkjIERpc2FsbG93IHNldHVwIG9mIGFsbCBvdGhlciBUQ1AgY29ubmVj dGlvbnMKIAkke2Z3Y21kfSBhZGQgZGVueSB0Y3AgZnJvbSBhbnkgdG8gYW55IHNldHVwCiAKIAkj IEFsbG93IEROUyBxdWVyaWVzIG91dCBpbiB0aGUgd29ybGQKLQkke2Z3Y21kfSBhZGQgcGFzcyB1 ZHAgZnJvbSBtZSB0byBhbnkgNTMga2VlcC1zdGF0ZQorCSR7ZndjbWR9IGFkZCBwYXNzIHVkcCBm cm9tIHsgbWUgb3IgbWU2IH0gdG8gYW55IDUzIGtlZXAtc3RhdGUKIAogCSMgQWxsb3cgTlRQIHF1 ZXJpZXMgb3V0IGluIHRoZSB3b3JsZAotCSR7ZndjbWR9IGFkZCBwYXNzIHVkcCBmcm9tIG1lIHRv IGFueSAxMjMga2VlcC1zdGF0ZQorCSR7ZndjbWR9IGFkZCBwYXNzIHVkcCBmcm9tIHsgbWUgb3Ig bWU2IH0gdG8gYW55IDEyMyBrZWVwLXN0YXRlCiAKIAkjIEV2ZXJ5dGhpbmcgZWxzZSBpcyBkZW5p ZWQgYnkgZGVmYXVsdCwgdW5sZXNzIHRoZQogCSMgSVBGSVJFV0FMTF9ERUZBVUxUX1RPX0FDQ0VQ VCBvcHRpb24gaXMgc2V0IGluIHlvdXIga2VybmVsCkBAIC0zODcsMTUgKzM4NywxNSBAQAogCSR7 ZndjbWR9IGFkZCBwYXNzIGFsbCBmcm9tIGFueSB0byBhbnkgZnJhZwogCiAJIyBBbGxvdyBzZXR1 cCBvZiBpbmNvbWluZyBlbWFpbAotCSR7ZndjbWR9IGFkZCBwYXNzIHRjcCBmcm9tIGFueSB0byBt ZSAyNSBzZXR1cAorCSR7ZndjbWR9IGFkZCBwYXNzIHRjcCBmcm9tIGFueSB0byB7IG1lIG9yIG1l NiB9IDI1IHNldHVwCiAKIAkjIEFsbG93IGFjY2VzcyB0byBvdXIgRE5TCi0JJHtmd2NtZH0gYWRk IHBhc3MgdGNwIGZyb20gYW55IHRvIG1lIDUzIHNldHVwCi0JJHtmd2NtZH0gYWRkIHBhc3MgdWRw IGZyb20gYW55IHRvIG1lIDUzCi0JJHtmd2NtZH0gYWRkIHBhc3MgdWRwIGZyb20gbWUgNTMgdG8g YW55CisJJHtmd2NtZH0gYWRkIHBhc3MgdGNwIGZyb20gYW55IHRvIHsgbWUgb3IgbWU2IH0gNTMg c2V0dXAKKwkke2Z3Y21kfSBhZGQgcGFzcyB1ZHAgZnJvbSBhbnkgdG8geyBtZSBvciBtZTYgfSA1 MworCSR7ZndjbWR9IGFkZCBwYXNzIHVkcCBmcm9tIHsgbWUgb3IgbWU2IH0gNTMgdG8gYW55CiAK IAkjIEFsbG93IGFjY2VzcyB0byBvdXIgV1dXCi0JJHtmd2NtZH0gYWRkIHBhc3MgdGNwIGZyb20g YW55IHRvIG1lIDgwIHNldHVwCisJJHtmd2NtZH0gYWRkIHBhc3MgdGNwIGZyb20gYW55IHRvIHsg bWUgb3IgbWU2IH0gODAgc2V0dXAKIAogCSMgUmVqZWN0JkxvZyBhbGwgc2V0dXAgb2YgaW5jb21p bmcgY29ubmVjdGlvbnMgZnJvbSB0aGUgb3V0c2lkZQogCSR7ZndjbWR9IGFkZCBkZW55IGxvZyBp cDQgZnJvbSBhbnkgdG8gYW55IGluIHZpYSAke29pZn0gc2V0dXAgcHJvdG8gdGNwCkBAIC00MDgs MTAgKzQwOCwxMCBAQAogCSR7ZndjbWR9IGFkZCBwYXNzIHRjcCBmcm9tIGFueSB0byBhbnkgc2V0 dXAKIAogCSMgQWxsb3cgRE5TIHF1ZXJpZXMgb3V0IGluIHRoZSB3b3JsZAotCSR7ZndjbWR9IGFk ZCBwYXNzIHVkcCBmcm9tIG1lIHRvIGFueSA1MyBrZWVwLXN0YXRlCisJJHtmd2NtZH0gYWRkIHBh c3MgdWRwIGZyb20geyBtZSBvciBtZTYgfSB0byBhbnkgNTMga2VlcC1zdGF0ZQogCiAJIyBBbGxv dyBOVFAgcXVlcmllcyBvdXQgaW4gdGhlIHdvcmxkCi0JJHtmd2NtZH0gYWRkIHBhc3MgdWRwIGZy b20gbWUgdG8gYW55IDEyMyBrZWVwLXN0YXRlCisJJHtmd2NtZH0gYWRkIHBhc3MgdWRwIGZyb20g eyBtZSBvciBtZTYgfSB0byBhbnkgMTIzIGtlZXAtc3RhdGUKIAogCSMgRXZlcnl0aGluZyBlbHNl IGlzIGRlbmllZCBieSBkZWZhdWx0LCB1bmxlc3MgdGhlCiAJIyBJUEZJUkVXQUxMX0RFRkFVTFRf VE9fQUNDRVBUIG9wdGlvbiBpcyBzZXQgaW4geW91ciBrZXJuZWwK --001485f78b4851964f047ae7768a--