Unified rc.firewall ipfw me/me6 issue
Hajimu UMEMOTO
ume at freebsd.org
Thu Dec 17 08:36:15 UTC 2009
Hi,
>>>>> On Thu, 17 Dec 2009 02:20:47 -0500
>>>>> David Horn <dhorn2000 at gmail.com> said:
dhorn2000> Thanks for working on rc.firewall, as the old scenario of dualing
dhorn2000> rc.firewall/rc.firewall6 was not easily used in the default configurations
dhorn2000> when running dual stack. The new rc.firewall has some very decent sane
dhorn2000> defaults. My testing so far as been concentrated on firewall_type="client",
dhorn2000> dual stack v4/v6 with SLAAC for IPv6, and DHCP for IPv4. I will try some of
dhorn2000> the IPv6 tunnel scenarios later.
There is no rule to pass the IPv6 over IPv4 tunnel. You need to add
it by yourself for now. I thought it may better having it for our
default rule. However, I didn't come up with suitable default. So, I
didn't add it.
dhorn2000> I ran some tests against the now committed to -current /etc/rc.firewall, and
dhorn2000> think have found an issue. In every line that has the "me" token without
dhorn2000> the equivalent "me6" token, the command is only taking affect for ipv4.
Yes, thank you for the report. It's my mistake. The default rule
should have same behavior as possible between an IPv4 and an IPv6.
dhorn2000> ${fwcmd} add pass udp from { me or me6 } to any 53 keep-state
Your proposed patch is simple enough, thus I like it. However, we need
to consider the environment where the kernel doesn't have an IPv6
support. So, we cannot just use '{ me or me6 }', here.
How about the attached patch, instead? Sorry, but I have no test
environment for now. So, I don't test it by my self, yet. I'll test
it later.
dhorn2000> The same issue exists for several other entries as well. (possible diff
dhorn2000> attached) The other option is to modify ipfw to actually have three
dhorn2000> different "me" tokens (me/me4/me6) where the new "me" token would match both
dhorn2000> ipv4 and ipv6 local interface addresses. Currently "me" matches only ipv4
dhorn2000> addresses on my amd64 -current box.
I think 'me' matches both an IPv4 and an IPv6 is better.
dhorn2000> P.S., might also be nice to have an UPDATING entry for unified rc.firewall
Yes, it should be. I'll add an UPDATING entry later.
Sincerely,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rc.firewall-me6.diff
Type: text/x-patch
Size: 2445 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20091217/44197ba0/rc.firewall-me6.bin
-------------- next part --------------
--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume at mahoroba.org ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/
More information about the freebsd-ipfw
mailing list