Date: Fri, 25 Apr 2008 14:16:22 -0700 From: "Kevin Oberman" <oberman@es.net> To: "Tobias P. Santos" <tobias@netconsultoria.com.br> Cc: net@freebsd.org Subject: Re: ipfw can't be disabled for IPv56 Message-ID: <20080425211622.302CB45010@ptavv.es.net> In-Reply-To: Your message of "Fri, 25 Apr 2008 16:48:46 -0300." <4812359E.5040800@netconsultoria.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
--==_Exmh_1209158182_37085P
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
> Date: Fri, 25 Apr 2008 16:48:46 -0300
> From: "Tobias P. Santos" <tobias@netconsultoria.com.br>
>
> Kevin Oberman wrote:
> > Running 7-STABLE of April 10, if I disable the firewall ('sysctl
> > net.inet.ip.fw.enable=0'), IPv4 traffic passes, but IPv6 will not. I had
> > to add a "allow ip from any to any" rule to get IPv6 to work pass
> > traffic. (Since I was accessing the system in question via IPv6, this
> > was a bit annoying!)
> >
> > Am I missing anything? The rc.subr script for ipfw just sets the sysctl I
> > did when it stops the firewall.
>
>
> # sysctl -a | grep fw
> net.inet.ip.fw.dyn_keepalive: 1
> net.inet.ip.fw.dyn_short_lifetime: 5
> net.inet.ip.fw.dyn_udp_lifetime: 10
> net.inet.ip.fw.dyn_rst_lifetime: 1
> net.inet.ip.fw.dyn_fin_lifetime: 1
> net.inet.ip.fw.dyn_syn_lifetime: 20
> net.inet.ip.fw.dyn_ack_lifetime: 300
> net.inet.ip.fw.static_count: 8
> net.inet.ip.fw.dyn_max: 4096
> net.inet.ip.fw.dyn_count: 0
> net.inet.ip.fw.curr_dyn_buckets: 256
> net.inet.ip.fw.dyn_buckets: 256
> net.inet.ip.fw.verbose_limit: 0
> net.inet.ip.fw.verbose: 1
> net.inet.ip.fw.debug: 1
> net.inet.ip.fw.one_pass: 1
> net.inet.ip.fw.autoinc_step: 100
> net.inet.ip.fw.enable: 1
> net.link.ether.ipfw: 0
> net.inet6.ip6.fw.enable: 1 <------------ voila!!!
> net.inet6.ip6.fw.debug: 1
> net.inet6.ip6.fw.verbose: 1
> net.inet6.ip6.fw.verbose_limit: 0
> net.inet6.ip6.fw.deny_unknown_exthdrs: 1
>
Thanks! I need to file a PR to get that into the rc script. I should
have looked for a inet6 specific sysctl for this.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
--==_Exmh_1209158182_37085P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (FreeBSD)
Comment: Exmh version 2.5 06/03/2002
iD8DBQFIEkomkn3rs5h7N1ERAt6IAJ0dvSZCWJX/b6h794zE3G2MOhOpHgCgmSXx
Uc9+vjWY+tvDXxOw0fTyD+k=
=GQ0W
-----END PGP SIGNATURE-----
--==_Exmh_1209158182_37085P--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080425211622.302CB45010>