Unified rc.firewall ipfw me/me6 issue

David Horn dhorn2000 at gmail.com
Thu Dec 17 07:49:18 UTC 2009 

Hajimu --

Thanks for working on rc.firewall, as the old scenario of dualing
rc.firewall/rc.firewall6 was not easily used in the default configurations
when running dual stack.  The new rc.firewall has some very decent sane
defaults.  My testing so far as been concentrated on firewall_type="client",
dual stack v4/v6 with SLAAC for IPv6, and DHCP for IPv4.  I will try some of
the IPv6 tunnel scenarios later.

I ran some tests against the now committed to -current /etc/rc.firewall, and
think have found an issue.  In every line that has the "me" token without
the equivalent "me6" token, the command is only taking affect for ipv4.

For example:

${fwcmd} add pass udp from me to any 53 keep-state

will allow dns requests from the client to pass, but if the destination host
is ipv6, this rule does not work.   Instead you need:

${fwcmd} add pass udp from { me or me6 } to any 53 keep-state

The same issue exists for several other entries as well. (possible diff
attached) The other option is to modify ipfw to actually have three
different "me" tokens (me/me4/me6) where the new "me" token would match both
ipv4 and ipv6 local interface addresses.  Currently "me" matches only ipv4
addresses on my amd64 -current box.

Thoughts anyone?

--Thanks!

-_Dave Horn

P.S., might also be nice to have an UPDATING entry for unified rc.firewall
-------------- next part --------------
Index: etc/rc.firewall
===================================================================
--- etc/rc.firewall	(revision 200623)
+++ etc/rc.firewall	(working copy)
@@ -229,19 +229,19 @@
 	${fwcmd} add pass all from any to any frag
 
 	# Allow setup of incoming email
-	${fwcmd} add pass tcp from any to me 25 setup
+	${fwcmd} add pass tcp from any to { me or me6 } 25 setup
 
 	# Allow setup of outgoing TCP connections only
-	${fwcmd} add pass tcp from me to any setup
+	${fwcmd} add pass tcp from { me or me6 } to any setup
 
 	# Disallow setup of all other TCP connections
 	${fwcmd} add deny tcp from any to any setup
 
 	# Allow DNS queries out in the world
-	${fwcmd} add pass udp from me to any 53 keep-state
+	${fwcmd} add pass udp from { me or me6 } to any 53 keep-state
 
 	# Allow NTP queries out in the world
-	${fwcmd} add pass udp from me to any 123 keep-state
+	${fwcmd} add pass udp from { me or me6 } to any 123 keep-state
 
 	# Everything else is denied by default, unless the
 	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
@@ -387,15 +387,15 @@
 	${fwcmd} add pass all from any to any frag
 
 	# Allow setup of incoming email
-	${fwcmd} add pass tcp from any to me 25 setup
+	${fwcmd} add pass tcp from any to { me or me6 } 25 setup
 
 	# Allow access to our DNS
-	${fwcmd} add pass tcp from any to me 53 setup
-	${fwcmd} add pass udp from any to me 53
-	${fwcmd} add pass udp from me 53 to any
+	${fwcmd} add pass tcp from any to { me or me6 } 53 setup
+	${fwcmd} add pass udp from any to { me or me6 } 53
+	${fwcmd} add pass udp from { me or me6 } 53 to any
 
 	# Allow access to our WWW
-	${fwcmd} add pass tcp from any to me 80 setup
+	${fwcmd} add pass tcp from any to { me or me6 } 80 setup
 
 	# Reject&Log all setup of incoming connections from the outside
 	${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto tcp
@@ -408,10 +408,10 @@
 	${fwcmd} add pass tcp from any to any setup
 
 	# Allow DNS queries out in the world
-	${fwcmd} add pass udp from me to any 53 keep-state
+	${fwcmd} add pass udp from { me or me6 } to any 53 keep-state
 
 	# Allow NTP queries out in the world
-	${fwcmd} add pass udp from me to any 123 keep-state
+	${fwcmd} add pass udp from { me or me6 } to any 123 keep-state
 
 	# Everything else is denied by default, unless the
 	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel

More information about the freebsd-ipfw mailing list