allowing gif thru ipfw
Eric W. Bates
ericx at ericx.net
Wed Feb 1 14:14:03 UTC 2012
On 2/1/2012 3:06 AM, Doug Barton wrote:
> If it's a hurricane electric tunnel don't you want protocol 41?
Well, it's a straight up gif. Right this second I'm trying to suss out
which protocol gif's use. If it's documented, I can't find it. The
closest bit I can find on the man page is:
The behavior of gif is mainly based on RFC2893 IPv6-over-IPv4 configured
tunnel.
I tried to read the pertinent parts of the RFC, but it doesn't really
discuss "type" or "protocol". It does talk about some header size issues.
Since ipfw is obviously blocking something and I can't get a handle on
it with tcpdump, I'm groping for an understanding of the shape of the
gif packets.
> On 01/31/2012 22:55, Eugene Grosbein wrote:
>> 01.02.2012 11:36, Eric W. Bates пишет:
>>> Seems like a silly question; but how does one allow the packets
>>> composing a gif tunnel thru ipfw?
>>>
>>> I assumed a gif was made up of ipencap (IP proto 4) packets and added rules:
>>>
>>> $fwcmd add 00140 allow ipencap from $he_tun to me
>>> $fwcmd add 00141 allow ipencap from me to $he_tun
>>>
>>> ($he_tun is an Hurricane Electric provider); but neither of them are
>>> hit; so that's wrong...
>>>
>>> tcpdump -i em_vlan5 -nnvvs0 ip proto 4
>>>
>>> doesn't show any packets either...
>>
>> Try:
>>
>> tcpdump -i em_vlan5 -nnvvs0 host $he_tun and not tcp and not udp and not icmp
>>
>> Perhaps, you gif is encrypted with ipsec? That changes ip protocol numbers.
>>
>> Eugene Grosbein
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>
>
>
More information about the freebsd-net
mailing list