[CFR] unified rc.firewall
Hajimu UMEMOTO
ume at freebsd.org
Mon Nov 23 17:27:38 UTC 2009
Hi,
>>>>> On Mon, 23 Nov 2009 10:56:14 -0500
>>>>> John Baldwin <jhb at freebsd.org> said:
jhb> @@ -178,6 +212,16 @@
jhb> # Allow any traffic to or from my own net.
jhb> ${fwcmd} add pass all from me to ${net}
jhb> ${fwcmd} add pass all from ${net} to me
jhb> + if [ -n "$net6" ]; then
jhb> + ${fwcmd} add pass ip6 from me6 to ${net6}
jhb> + ${fwcmd} add pass ip6 from ${net6} to me6
jhb> + fi
jhb> +
jhb> + if [ -n "$net6" ]; then
jhb> + # Allow any link-local multicast traffic
jhb> + ${fwcmd} add pass ip6 from fe80::/10 to ff02::/16
jhb> + ${fwcmd} add pass ip6 from ${net6} to ff02::/16
jhb> + fi
jhb> Any reason to not use 'all' here rather than 'ip6' to match the earlier IPv4
jhb> rules?
Thank you for the review.
The rule is only applicable for IPv6. Rather, I prefer to use 'ip4'
explicitly over 'all' or 'ip' here. However, changing 'all' to 'ip4'
makes the diff complex. So, I keep 'all' as is.
jhb> @@ -273,6 +329,55 @@
jhb> ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
jhb> ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
jhb>
jhb> + if [ -n "$oif6" -a -n "$onet6" -a -n "$iif6" -a -n "$inet6" ]; then
jhb> + # Stop unique local unicast address on the outside interface
jhb> + ${fwcmd} add deny ip6 from fc00::/7 to any via ${oif6}
jhb> + ${fwcmd} add deny ip6 from any to fc00::/7 via ${oif6}
jhb> +
jhb> ....
jhb> Similarly here, why not use 'all' instead of 'ip6'?
Same above.
jhb> @@ -291,7 +396,11 @@
jhb> ${fwcmd} add pass tcp from any to me 80 setup
jhb>
jhb> # Reject&Log all setup of incoming connections from the outside
jhb> - ${fwcmd} add deny log tcp from any to any in via ${oif} setup
jhb> + ${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto
jhb> tcp
jhb> + if [ -n "$oif6" -a -n "$onet6" -a -n "$iif6" -a -n "$inet6" ]; then
jhb> + ${fwcmd} add deny log ip6 from any to any in via ${oif6} \
jhb> + setup proto tcp
jhb> + fi
jhb> I would actually not use separate v6 interfaces for the 'simple' firewall
jhb> but just have 'oif', 'onet', and 'onet_ipv6' variables. Then you don't need
jhb> this diff at all as the existing rule will work fine.
Yup, it should makes rule simpler. However, many sites still use
tunnel for IPv6 connectivity. I think, separating 'oif' and 'oif6'
makes such sites happy. So, this diff should make sense, IMHO.
jhb> # For services permitted below.
jhb> ${fwcmd} add pass tcp from me to any established
jhb> + if [ $ipv6_available -eq 0 ]; then
jhb> + ${fwcmd} add pass ip6 from any to any proto tcp established
jhb> + fi
jhb> I think this extra rule here isn't needed at all as the first rule should
jhb> already match all of those packets.
WORKSTATION type rule is fully dynamic. However, I saw it doesn't
work for IPv6 as expected. SSH connection stalls after some period.
I suspect keepalive timer doesn't work well for IPv6.
So, I changed to use traditional setup/established rule for TCP/IPv6.
Further, 'me' doesn't match to IPv6 address.
jhb> # Allow any connection out, adding state for each.
jhb> ${fwcmd} add pass tcp from me to any setup keep-state
jhb> ${fwcmd} add pass udp from me to any keep-state
jhb> ${fwcmd} add pass icmp from me to any keep-state
jhb> + if [ $ipv6_available -eq 0 ]; then
jhb> + ${fwcmd} add pass ip6 from me6 to any proto tcp setup
jhb> + ${fwcmd} add pass ip6 from me6 to any proto udp keep-state
jhb> + ${fwcmd} add pass ip6 from me6 to any proto ipv6-icmp \
jhb> + keep-state
jhb> + fi
jhb> I think it is more consistent to use 'pass tcp from me6 to any' similar to
jhb> the IPv4 rules here. It is also shorter and easier to read that way IMO.
I thought similar thing with 'all' vs 'ip4'. Rather, I prefer to
change IPv4 rules. However, if 'all' is preferable, I'll change so.
Sincerely,
--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume at mahoroba.org ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/
More information about the freebsd-current
mailing list