From owner-freebsd-net@FreeBSD.ORG Tue Dec 21 02:05:15 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F1E216A4CE for ; Tue, 21 Dec 2004 02:05:15 +0000 (GMT) Received: from mailhost.schluting.com (schluting.com [131.252.214.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1141243D2F for ; Tue, 21 Dec 2004 02:05:15 +0000 (GMT) (envelope-from charlie@schluting.com) Received: from localhost (localhost [127.0.0.1]) by mailhost.schluting.com (Postfix) with ESMTP id 8E44621E3 for ; Mon, 20 Dec 2004 18:05:14 -0800 (PST) Received: from mailhost.schluting.com ([127.0.0.1]) by localhost (schluting.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 54913-03 for ; Mon, 20 Dec 2004 18:05:07 -0800 (PST) Received: from [131.252.209.122] (smelly.cat.pdx.edu [131.252.209.122]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailhost.schluting.com (Postfix) with ESMTP id EF50120EF for ; Mon, 20 Dec 2004 18:05:06 -0800 (PST) Message-ID: <41C784DC.5020805@schluting.com> Date: Mon, 20 Dec 2004 18:05:16 -0800 From: Charlie Schluting User-Agent: Mozilla Thunderbird 1.0 (X11/20041215) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by your mom at schluting.com Subject: firewalling with tunnels, and/or ipv6 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Dec 2004 02:05:15 -0000 Ok, I've got a v6 tunnel, and to make it work I had to "allow ipv6 from " in ipfw. From what I understand, I have to make a completely different set of rules for ipv6, and load them using the -6 flag. Correct so far? Ok, so I want to set up an ipip v4 tunnel to another box (that runs ipf), and then squirt ipv6 through the tunnel. Sounds easy, but I can't even seem to get the ipip tunnel working. The question: How do you configure ipf/ipfw (in a general sense) to allow ipip tunnels? More importantly, if I "allow ipip from " does that mean I just poked a big ass hole in the firewall... i.e. anything coming through the ipip tunnel will pass? Or, does that make an IP layer be shed, then the packet is run through all the rules again? Inefficient, but I'd think this would be the desired behaivor. At any rate, simply allowing ipip from doesn't allow the v4 tunnel to work. What else is needed? (of course static routes, etc.) I think I'll stop here for now; once that's clear I should be able to set it up. Thanks, _Charlie