ipfw2 and ipv6 - strange things happening

Andreas Kohn andreas at syndrom23.de
Wed Oct 5 04:47:11 PDT 2005 

Hi,

I'm in the process of refining my ipfw(2) rules. 
The strangeness is that I am apparently unable to filter certain ipv6
traffic correctly:

# ipfw add 1650 pass proto 41 via rl0
01650 allow ip from any to any via rl0
# ipfw -c list 1650
01650 allow via rl0

This should have been "allow proto 41 via rl0", no?

An overview of what I'd like to accomplish:

[LAN, using IPv4 192.168.0.0/16, and IPv6] 
    |
    |
 vr0: 192.168.0.1
 router
 rl0: 212.204.44.203, gif0, stf0
    |
    |
[internet]

The router is the ipfw machine, currently running
FreeBSD 7.0-CURRENT #35: Sun Oct  2 14:16:27 CEST 2005

The router has a few interfaces:
rl0 - Outside interface to the cable modem
vr0 - Inside interface to the lan
gif0 - SixXS IPv6 tunnel

00050 divert 8668 via rl0
[using natd for IPv4]

00100 allow via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
[standard localhost rules]

00400 allow not via rl0
[allow any traffic floating around in the local net]

00500 deny dst-port 135,139,445 recv rl0
[kill some windows traffic from the internet early]

00600 allow tcp from any to any established
00700 allow frag
[allow anything which originated from here, and frags]

00800 allow proto icmp
[allow any kind of icmp]

00900 allow tcp from 212.204.44.203 to any setup
01000 allow tcp from 192.168.0.0/16 to any setup
[allow any ipv4 originating from here]

01100 allow tcp from any to me dst-port 22,80,8180
[allow services]

01200 deny log tcp from any to any setup
[log and drop excess traffic]

01300 allow udp from 212.204.44.203 to any dst-port 53 keep-state
01400 allow udp from 212.204.44.203 to any dst-port 123 keep-state
[dns, ntp]

01500 allow ip from any to 212.224.0.188
01600 allow ip from 212.224.0.188 to me
[SixXS tunnel, see below]

01700 reset log ip from any to any
65535 deny ip from any to any

That works, more less. 
Rules 1500 and 1600 were originally written as
"allow proto 41 via rl0", to catch any and all encapsulated ipv6
traffic. I assumed from reading that the ipv6-in-ipv4 packets run at
least twice through the firewall, the first time as ipv4 packet, and the
second time as ipv6 packets?
212.224.0.188 is deham01.sixxs.net, my SixXS tunnel endpoint.

Now, I would like to add a 6to4 interface, and with that I can no longer
use the "workaround" of filtering by the tunnel endpoint, because the
endpoint can be potentially any and all ipv4 address in the world.
Enable verbose mode, I see 
1700 Reset P:41 139.30.130.13 212.204.44.203 in via rl0 
in /var/log/security, which I can associate with the ping6 I started on 
2002:8b1e:820d::1.
I see exactly the same "Reset P:41" for the SixXS tunnel if I remove
rules 1500+1600.

But from looking at the above ipfw list output, I cannot filter these
P:41 packets by their P:41.

So for the short final questions:

a) should pass proto 41 via rl0 do what I expect? Allow encapsulated
ipv6 traffic? Is just the displaying of the rule a little
broken/misleading?

b) How would I filter 6to4 traffic so that the encapsulated packets are
passed through, and afterwards filtered as regular ipv6 traffic? 

I would be nice if you had any pointers to things I'm missing here.

Best regards,
Andreas

-- 
<ankon> aha!!!
<camel69> du hast 1111111eineinselfelf vergessen
<dv_> die elf ist overrated.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20051005/66e3242b/attachment.bin

More information about the freebsd-ipfw mailing list