Date: Fri, 30 Sep 2011 21:35:34 +0300 From: Alexander Motin <mav@FreeBSD.org> To: =?ISO-8859-1?Q?Olivier_Cochard-Labb=E9?= <olivier@cochard.me> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw doesn't support IPv6 PPTP VPN (IPFW2: IPV6 - Unknown Extension Header(47)) Message-ID: <4E860BF6.1060303@FreeBSD.org> In-Reply-To: <CA%2Bq%2BTcptTrbNTsGtWkq=7n6j=9SAMWLBSBbLyBOTm4utBUCNJg@mail.gmail.com> References: <CA%2Bq%2BTcptTrbNTsGtWkq=7n6j=9SAMWLBSBbLyBOTm4utBUCNJg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi. Olivier Cochard-Labbé wrote: > I've got 2 PPTP VPN tunnels (using net/mpd5) between 2 FreeBSD based > router (8.2-RELEASE-p3) : > One IPv6 tunnel (IPv6 end point addresses) and one IPv4 tunnel (IPv4 > end points addresses), and would to try to enable IPFW between them. > I've first begin to enable IPFW in open mode, but as soon as I enable > it, my IPv6 tunnel goes down and my console fill with theses messages > : > > IPFW2: IPV6 - Unknown Extension Header(47), ext_hd=0 > > And there is no denied rules matched: > > [root@R4]~# ipfw -a list > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 deny ip from any to ::1 > 00500 0 0 deny ip from ::1 to any > 00600 7 536 allow ipv6-icmp from :: to ff02::/16 > 00700 49 3336 allow ipv6-icmp from fe80::/10 to fe80::/10 > 00800 20 1736 allow ipv6-icmp from fe80::/10 to ff02::/16 > 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1 > 01000 50 3400 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 > 65000 1727 102386 allow ip from any to any > 65535 0 0 deny ip from any to any > > I don't think it's a normal behaviour: Does anyone know how to fix that ? > > If you need more information on this setup, all configuration are > online (It's router 4): > http://bsdrp.net/documentation/examples/maximum_bsdrp_features_lab Quick look on ipfw kernel sources shown sysctl controlling that: net.inet6.ip6.fw.deny_unknown_exthdrs. You may try set it to zero. IPv6 is more flexible in stacking different packet headers. And so things like unknown protocol code that are usual for IPv4 could be not an easy question for IPv6 firewall. I am not very good in IPv6, but present behavior looks too strict to me. I am not sure why there can't be used same logic as with non-first fragment of fragmented IPv4, when "allow all" that is doesn't look inside (not mentioning protocol or ports) should still match. -- Alexander Motin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E860BF6.1060303>