From owner-freebsd-current@FreeBSD.ORG Mon Nov 23 17:27:38 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CCFB1065679; Mon, 23 Nov 2009 17:27:38 +0000 (UTC) (envelope-from ume@mahoroba.org) Received: from asuka.mahoroba.org (ent.mahoroba.org [IPv6:2001:2f0:104:8010::1]) by mx1.freebsd.org (Postfix) with ESMTP id 7C00F8FC15; Mon, 23 Nov 2009 17:27:37 +0000 (UTC) Received: from yuga.mahoroba.org (ume@yuga.mahoroba.org [IPv6:2001:2f0:104:8010:21b:d3ff:fe38:5381]) (user=ume mech=CRAM-MD5 bits=0) by asuka.mahoroba.org (8.14.3/8.14.3) with ESMTP/inet6 id nANHRNZc041681 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 24 Nov 2009 02:27:27 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Tue, 24 Nov 2009 02:27:23 +0900 Message-ID: From: Hajimu UMEMOTO To: John Baldwin In-Reply-To: <200911231056.15247.jhb@freebsd.org> References: <4B098D21.4040607@FreeBSD.org> <200911231056.15247.jhb@freebsd.org> User-Agent: xcite1.58> Wanderlust/2.15.7 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?ISO-2022-JP-2?B?R29qGyQoRCtXGyhC?=) APEL/10.7 Emacs/23.1 (i386-portbld-freebsd8.0) MULE/6.0 (HANACHIRUSATO) X-Operating-System: FreeBSD 8.0-RELEASE X-PGP-Key: http://www.imasy.or.jp/~ume/publickey.asc X-PGP-Fingerprint: 1F00 0B9E 2164 70FC 6DC5 BF5F 04E9 F086 BF90 71FE Organization: Internet Mutual Aid Society, YOKOHAMA MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (asuka.mahoroba.org [IPv6:2001:2f0:104:8010::1]); Tue, 24 Nov 2009 02:27:27 +0900 (JST) X-Virus-Scanned: clamav-milter 0.95.3 at asuka.mahoroba.org X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on asuka.mahoroba.org Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, Doug Barton Subject: Re: [CFR] unified rc.firewall X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Nov 2009 17:27:38 -0000 Hi, >>>>> On Mon, 23 Nov 2009 10:56:14 -0500 >>>>> John Baldwin said: jhb> @@ -178,6 +212,16 @@ jhb> # Allow any traffic to or from my own net. jhb> ${fwcmd} add pass all from me to ${net} jhb> ${fwcmd} add pass all from ${net} to me jhb> + if [ -n "$net6" ]; then jhb> + ${fwcmd} add pass ip6 from me6 to ${net6} jhb> + ${fwcmd} add pass ip6 from ${net6} to me6 jhb> + fi jhb> + jhb> + if [ -n "$net6" ]; then jhb> + # Allow any link-local multicast traffic jhb> + ${fwcmd} add pass ip6 from fe80::/10 to ff02::/16 jhb> + ${fwcmd} add pass ip6 from ${net6} to ff02::/16 jhb> + fi jhb> Any reason to not use 'all' here rather than 'ip6' to match the earlier IPv4 jhb> rules? Thank you for the review. The rule is only applicable for IPv6. Rather, I prefer to use 'ip4' explicitly over 'all' or 'ip' here. However, changing 'all' to 'ip4' makes the diff complex. So, I keep 'all' as is. jhb> @@ -273,6 +329,55 @@ jhb> ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} jhb> ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} jhb> jhb> + if [ -n "$oif6" -a -n "$onet6" -a -n "$iif6" -a -n "$inet6" ]; then jhb> + # Stop unique local unicast address on the outside interface jhb> + ${fwcmd} add deny ip6 from fc00::/7 to any via ${oif6} jhb> + ${fwcmd} add deny ip6 from any to fc00::/7 via ${oif6} jhb> + jhb> .... jhb> Similarly here, why not use 'all' instead of 'ip6'? Same above. jhb> @@ -291,7 +396,11 @@ jhb> ${fwcmd} add pass tcp from any to me 80 setup jhb> jhb> # Reject&Log all setup of incoming connections from the outside jhb> - ${fwcmd} add deny log tcp from any to any in via ${oif} setup jhb> + ${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto jhb> tcp jhb> + if [ -n "$oif6" -a -n "$onet6" -a -n "$iif6" -a -n "$inet6" ]; then jhb> + ${fwcmd} add deny log ip6 from any to any in via ${oif6} \ jhb> + setup proto tcp jhb> + fi jhb> I would actually not use separate v6 interfaces for the 'simple' firewall jhb> but just have 'oif', 'onet', and 'onet_ipv6' variables. Then you don't need jhb> this diff at all as the existing rule will work fine. Yup, it should makes rule simpler. However, many sites still use tunnel for IPv6 connectivity. I think, separating 'oif' and 'oif6' makes such sites happy. So, this diff should make sense, IMHO. jhb> # For services permitted below. jhb> ${fwcmd} add pass tcp from me to any established jhb> + if [ $ipv6_available -eq 0 ]; then jhb> + ${fwcmd} add pass ip6 from any to any proto tcp established jhb> + fi jhb> I think this extra rule here isn't needed at all as the first rule should jhb> already match all of those packets. WORKSTATION type rule is fully dynamic. However, I saw it doesn't work for IPv6 as expected. SSH connection stalls after some period. I suspect keepalive timer doesn't work well for IPv6. So, I changed to use traditional setup/established rule for TCP/IPv6. Further, 'me' doesn't match to IPv6 address. jhb> # Allow any connection out, adding state for each. jhb> ${fwcmd} add pass tcp from me to any setup keep-state jhb> ${fwcmd} add pass udp from me to any keep-state jhb> ${fwcmd} add pass icmp from me to any keep-state jhb> + if [ $ipv6_available -eq 0 ]; then jhb> + ${fwcmd} add pass ip6 from me6 to any proto tcp setup jhb> + ${fwcmd} add pass ip6 from me6 to any proto udp keep-state jhb> + ${fwcmd} add pass ip6 from me6 to any proto ipv6-icmp \ jhb> + keep-state jhb> + fi jhb> I think it is more consistent to use 'pass tcp from me6 to any' similar to jhb> the IPv4 rules here. It is also shorter and easier to read that way IMO. I thought similar thing with 'all' vs 'ip4'. Rather, I prefer to change IPv4 rules. However, if 'all' is preferable, I'll change so. Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/