From owner-freebsd-current@FreeBSD.ORG Mon Nov 23 19:52:51 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDDB81065679; Mon, 23 Nov 2009 19:52:51 +0000 (UTC) (envelope-from oberman@es.net) Received: from mailgw.es.net (mail4.es.net [IPv6:2001:400:6000:6::2]) by mx1.freebsd.org (Postfix) with ESMTP id 7CF558FC0A; Mon, 23 Nov 2009 19:52:51 +0000 (UTC) Received: from ptavv.es.net (ptavv.es.net [IPv6:2001:400:910::29]) by mailgw.es.net (8.14.3/8.14.3) with ESMTP id nANJqnIK011999 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 23 Nov 2009 11:52:50 -0800 Received: from ptavv.es.net (ptavv.es.net [127.0.0.1]) by ptavv.es.net (Tachyon Server) with ESMTP id 1518C1CC0E; Mon, 23 Nov 2009 11:52:49 -0800 (PST) To: John Baldwin In-reply-to: Your message of "Mon, 23 Nov 2009 12:55:25 EST." <200911231255.26279.jhb@freebsd.org> Date: Mon, 23 Nov 2009 11:52:49 -0800 From: "Kevin Oberman" Message-Id: <20091123195249.1518C1CC0E@ptavv.es.net> X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2009-11-23_10:2009-11-16, 2009-11-23, 2009-11-23 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0908210000 definitions=main-0911230175 Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, Hajimu UMEMOTO , Doug Barton Subject: Re: [CFR] unified rc.firewall X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Nov 2009 19:52:51 -0000 > From: John Baldwin > Date: Mon, 23 Nov 2009 12:55:25 -0500 > Sender: owner-freebsd-current@freebsd.org > > On Monday 23 November 2009 12:27:23 pm Hajimu UMEMOTO wrote: > > Hi, > > > > >>>>> On Mon, 23 Nov 2009 10:56:14 -0500 > > >>>>> John Baldwin said: > > > > jhb> @@ -178,6 +212,16 @@ > > jhb> # Allow any traffic to or from my own net. > > jhb> ${fwcmd} add pass all from me to ${net} > > jhb> ${fwcmd} add pass all from ${net} to me > > jhb> + if [ -n "$net6" ]; then > > jhb> + ${fwcmd} add pass ip6 from me6 to ${net6} > > jhb> + ${fwcmd} add pass ip6 from ${net6} to me6 > > jhb> + fi > > jhb> + > > jhb> + if [ -n "$net6" ]; then > > jhb> + # Allow any link-local multicast traffic > > jhb> + ${fwcmd} add pass ip6 from fe80::/10 to ff02::/16 > > jhb> + ${fwcmd} add pass ip6 from ${net6} to ff02::/16 > > jhb> + fi > > > > jhb> Any reason to not use 'all' here rather than 'ip6' to match the earlier IPv4 > > jhb> rules? > > > > Thank you for the review. > > The rule is only applicable for IPv6. Rather, I prefer to use 'ip4' > > explicitly over 'all' or 'ip' here. However, changing 'all' to 'ip4' > > makes the diff complex. So, I keep 'all' as is. > > Hmm, however, using 'all' will work, and while in this case the typing is the > same I find it easier to read 'add pass tcp <...>' vs > 'add pass ip <...> proto tcp'. I do think they should be consistent > regardless. > > > jhb> # For services permitted below. > > jhb> ${fwcmd} add pass tcp from me to any established > > jhb> + if [ $ipv6_available -eq 0 ]; then > > jhb> + ${fwcmd} add pass ip6 from any to any proto tcp established > > jhb> + fi > > > > jhb> I think this extra rule here isn't needed at all as the first rule should > > jhb> already match all of those packets. > > > > WORKSTATION type rule is fully dynamic. However, I saw it doesn't > > work for IPv6 as expected. SSH connection stalls after some period. > > I suspect keepalive timer doesn't work well for IPv6. > > So, I changed to use traditional setup/established rule for TCP/IPv6. > > Further, 'me' doesn't match to IPv6 address. FWIW, I have been seeing this since the last update of OpenSSH. I never saw it until then. It's a real pain and I'd love to see it fixed. Right now I'm forced to use IPv4 for the jobs that I tunnel in SSH. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751