[CFR] unified rc.firewall
Benjamin Lee
ben at b1c1l1.com
Mon Nov 23 18:27:51 UTC 2009
On 11/23/2009 09:55 AM, John Baldwin wrote:
> On Monday 23 November 2009 12:27:23 pm Hajimu UMEMOTO wrote:
>> Hi,
>>
>>>>>>> On Mon, 23 Nov 2009 10:56:14 -0500
>>>>>>> John Baldwin <jhb at freebsd.org> said:
>> jhb> # For services permitted below.
>> jhb> ${fwcmd} add pass tcp from me to any established
>> jhb> + if [ $ipv6_available -eq 0 ]; then
>> jhb> + ${fwcmd} add pass ip6 from any to any proto tcp established
>> jhb> + fi
>>
>> jhb> I think this extra rule here isn't needed at all as the first rule should
>> jhb> already match all of those packets.
>>
>> WORKSTATION type rule is fully dynamic. However, I saw it doesn't
>> work for IPv6 as expected. SSH connection stalls after some period.
>> I suspect keepalive timer doesn't work well for IPv6.
>> So, I changed to use traditional setup/established rule for TCP/IPv6.
>> Further, 'me' doesn't match to IPv6 address.
>
> I had missed the me vs any. It is true that the equivalent rule would use
> me6. I would rather figure out the IPv6 bug so that TCP is treated the
> same for both protocols instead of having a weaker firewall for IPv6 than
> IPV4.
There is a bug in ipfw send_pkt() that prevents ipfw_tick() from
functioning for IPv6. See PR kern/117234.
--
Benjamin Lee
http://www.b1c1l1.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20091123/64886c4e/signature.pgp
More information about the freebsd-current
mailing list