Date: Tue, 24 Nov 2009 02:27:23 +0900 From: Hajimu UMEMOTO <ume@freebsd.org> To: John Baldwin <jhb@freebsd.org> Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, Doug Barton <dougb@freebsd.org> Subject: Re: [CFR] unified rc.firewall Message-ID: <ygetywlgnic.wl%ume@mahoroba.org> In-Reply-To: <200911231056.15247.jhb@freebsd.org> References: <ygeljhyk1qg.wl%ume@mahoroba.org> <4B098D21.4040607@FreeBSD.org> <ygek4xhjmtp.wl%ume@mahoroba.org> <200911231056.15247.jhb@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, >>>>> On Mon, 23 Nov 2009 10:56:14 -0500 >>>>> John Baldwin <jhb@freebsd.org> said: jhb> @@ -178,6 +212,16 @@ jhb> # Allow any traffic to or from my own net. jhb> ${fwcmd} add pass all from me to ${net} jhb> ${fwcmd} add pass all from ${net} to me jhb> + if [ -n "$net6" ]; then jhb> + ${fwcmd} add pass ip6 from me6 to ${net6} jhb> + ${fwcmd} add pass ip6 from ${net6} to me6 jhb> + fi jhb> + jhb> + if [ -n "$net6" ]; then jhb> + # Allow any link-local multicast traffic jhb> + ${fwcmd} add pass ip6 from fe80::/10 to ff02::/16 jhb> + ${fwcmd} add pass ip6 from ${net6} to ff02::/16 jhb> + fi jhb> Any reason to not use 'all' here rather than 'ip6' to match the earlier IPv4 jhb> rules? Thank you for the review. The rule is only applicable for IPv6. Rather, I prefer to use 'ip4' explicitly over 'all' or 'ip' here. However, changing 'all' to 'ip4' makes the diff complex. So, I keep 'all' as is. jhb> @@ -273,6 +329,55 @@ jhb> ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} jhb> ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} jhb> jhb> + if [ -n "$oif6" -a -n "$onet6" -a -n "$iif6" -a -n "$inet6" ]; then jhb> + # Stop unique local unicast address on the outside interface jhb> + ${fwcmd} add deny ip6 from fc00::/7 to any via ${oif6} jhb> + ${fwcmd} add deny ip6 from any to fc00::/7 via ${oif6} jhb> + jhb> .... jhb> Similarly here, why not use 'all' instead of 'ip6'? Same above. jhb> @@ -291,7 +396,11 @@ jhb> ${fwcmd} add pass tcp from any to me 80 setup jhb> jhb> # Reject&Log all setup of incoming connections from the outside jhb> - ${fwcmd} add deny log tcp from any to any in via ${oif} setup jhb> + ${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto jhb> tcp jhb> + if [ -n "$oif6" -a -n "$onet6" -a -n "$iif6" -a -n "$inet6" ]; then jhb> + ${fwcmd} add deny log ip6 from any to any in via ${oif6} \ jhb> + setup proto tcp jhb> + fi jhb> I would actually not use separate v6 interfaces for the 'simple' firewall jhb> but just have 'oif', 'onet', and 'onet_ipv6' variables. Then you don't need jhb> this diff at all as the existing rule will work fine. Yup, it should makes rule simpler. However, many sites still use tunnel for IPv6 connectivity. I think, separating 'oif' and 'oif6' makes such sites happy. So, this diff should make sense, IMHO. jhb> # For services permitted below. jhb> ${fwcmd} add pass tcp from me to any established jhb> + if [ $ipv6_available -eq 0 ]; then jhb> + ${fwcmd} add pass ip6 from any to any proto tcp established jhb> + fi jhb> I think this extra rule here isn't needed at all as the first rule should jhb> already match all of those packets. WORKSTATION type rule is fully dynamic. However, I saw it doesn't work for IPv6 as expected. SSH connection stalls after some period. I suspect keepalive timer doesn't work well for IPv6. So, I changed to use traditional setup/established rule for TCP/IPv6. Further, 'me' doesn't match to IPv6 address. jhb> # Allow any connection out, adding state for each. jhb> ${fwcmd} add pass tcp from me to any setup keep-state jhb> ${fwcmd} add pass udp from me to any keep-state jhb> ${fwcmd} add pass icmp from me to any keep-state jhb> + if [ $ipv6_available -eq 0 ]; then jhb> + ${fwcmd} add pass ip6 from me6 to any proto tcp setup jhb> + ${fwcmd} add pass ip6 from me6 to any proto udp keep-state jhb> + ${fwcmd} add pass ip6 from me6 to any proto ipv6-icmp \ jhb> + keep-state jhb> + fi jhb> I think it is more consistent to use 'pass tcp from me6 to any' similar to jhb> the IPv4 rules here. It is also shorter and easier to read that way IMO. I thought similar thing with 'all' vs 'ip4'. Rather, I prefer to change IPv4 rules. However, if 'all' is preferable, I'll change so. Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ygetywlgnic.wl%ume>