From owner-freebsd-questions@FreeBSD.ORG Tue Nov 6 15:14:41 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CED5016A417 for ; Tue, 6 Nov 2007 15:14:41 +0000 (UTC) (envelope-from fbsdlists@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.226]) by mx1.freebsd.org (Postfix) with ESMTP id 837DD13C4A6 for ; Tue, 6 Nov 2007 15:14:41 +0000 (UTC) (envelope-from fbsdlists@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so1240297nzf for ; Tue, 06 Nov 2007 07:14:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=kt3TjOMIhtdGTjfZIgZWQ9I+luGiwzwelV7fYtrNayY=; b=IOxFyXUB8qFpaoGHisgne5JtA4wgzymLA9gQ11bmA1UoBV0UGM+JEYHuxCHqrULXZxfRNSLcu4vHypZAQeWl2fH6dwVw8SiM84GbSwLLmHWJS/F0hRr1VoyT2Si6B9Cde/3ELHXao9++tzfBSVYjsra7leHHYzOfz/1paGCEpV4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DCwYvssi9WuRKEu7a4zQtR2al/lS3oVDNv/Ti+xTCyT8g18xNcF3m3v7r64SZUdLSalr7MrhGNfuOL3ZZRHOM7e5wNcpDSi/WLoiYRS7Iv8nXKHOMGacxiZm9FGu80jJe8JYy8TytBf8vOEGt9tie6Lbt/GxkJ+WhrU1UC4EPMk= Received: by 10.142.131.18 with SMTP id e18mr1195741wfd.1194362064975; Tue, 06 Nov 2007 07:14:24 -0800 (PST) Received: by 10.142.216.9 with HTTP; Tue, 6 Nov 2007 07:14:24 -0800 (PST) Message-ID: <54db43990711060714j44df835eq2b8719c433e7266@mail.gmail.com> Date: Tue, 6 Nov 2007 10:14:24 -0500 From: "Bob Johnson" To: "Nikos Vassiliadis" In-Reply-To: <200711061125.37689.nvass@teledomenet.gr> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <54db43990711051454m8d4ecaaq24cc1bbbf02bfe0d@mail.gmail.com> <200711061125.37689.nvass@teledomenet.gr> Cc: freebsd-questions@freebsd.org Subject: Re: ip6fw without ipfw? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Nov 2007 15:14:41 -0000 On 11/6/07, Nikos Vassiliadis wrote: > On Tuesday 06 November 2007 00:54:36 Bob Johnson wrote: > > So is it a bug or a feature that enabling ip6fw (/etc/rc.d/ip6fw > > start) also enables ipfw (the ipv4 version)? I didn't see it mentioned > > in IP6FW(8). > > > > It sure surprised me when I was exploring IPv6 setup and I enabled > > ip6fw without configuring the IPv4 rc.firewall. Locked me out of the > > remote system, because ssh won't let me log in on IPv6 (I'll post that > > question in another message), and ipfw came up and locked me out via > > IPv4. Forced me to go out and enjoy the nice weather yesterday instead > > of playing with IPv6 all day... > > Can't replicate what you said. I am running 6.2-STABLE from June. > I loaded the ip6fw module and ipfw is not loaded. I also ran the > ip6fw rc script. Nothing happened regarding ipfw. > > root:0:/cdrom# ip6fw show > 65535 0 0 deny ipv6 from any to any > root:0:/cdrom# ipfw show > ipfw: getsockopt(IP_FW_GET): Protocol not available > > If you can replicate the problem, please report it. > > Nikos > Sorry I forgot to mention that this is on 7.0-BETA1. I find that it only happens the first time I enable the firewall after rebooting. I remove the firewall_enable and ipv6_firewall_enable lines in rc.conf, reboot the system, then put the lines back in rc.conf. Then /etc/rc.d/ip6fw start also starts ipfw. I'm pretty sure that when this happens, ipfw doesn't load its rules from /etc/rc.firewall, so it is running with only the default deny rule (I'll try to confirm that some time today, but first I need to get some real work done this morning). After the firewall has been enabled and disabled, re-enabling ip6fw doesn't seem to affect ipfw. Since this is apparently a bug, I'll file a PR. I'm going to install 7.0-BETA2 later today, I'll try again on that. - Bob