Date: Mon, 02 Oct 2000 10:33:32 +0100 From: "Steehouder, R.J." <r.j.steehouder@kpn.com> To: "'freebsd-net@freebsd.org'" <freebsd-net@freebsd.org>, "'freebsd-ipfw@freebsd.org'" <freebsd-ipfw@freebsd.org> Subject: IPv6 Firewall problem (with solution) Message-ID: <59063B5B4D98D311BC0D0001FA7E45220369D2CB@l04.research.kpn.com>
next in thread | raw e-mail | index | archive | help
Sorry if this is sightly off topic, but there is no FreeBSD-IPv6 mailing
list that I know of.
I have stumbled upon the following:
The IPv6 firewall and IPv6 neighbor discovery don't work well together.
In the system depicted below, Tembo acts as a firewall and gateway for Kima.
Target is to only let traffic between Twiga and Kima through.
+--+ +--+ +--+
| |-----+---| |---------| |
+--+ | +--+ +--+
Twiga | Tembo Kima
|
+--+
Simba | |----(Internet / 6Bone / etc.)
+--+
Twiga: FreeBSD 4.1-RELEASE
Kima: Windows 2000
Tembo: FreeBSD 4.x-STABLE
Simba: SISCO Router
All network connections are IPv6. Simba is default router in the left
network, Tembo in the right one.
Firewall rules on Tembo:
# link-local addresses
add allow all from fe80::/64 to fe80::/64
# link-local multicast addresses
add allow all from any to ff00::/12
# Twiga <-> Kima
add allow all from Kima to Twiga
add allow all from Twiga to Kima
Problem:
Some time after installing these rules, communication between Kima and Twiga
stops.
Why?
Because neighbor discovery tells Tembo that Kima is no longer there (due to
firewall restrictions Tembo cannot communicate with Kima using global
addresses). Kima is therefore removed from the routing table and traffic
stops.
Solution
Allow communications between Kima and Tembo:
allow all from Kima to Tembo
allow all from Tembo to Kima
Using a static routes instead should work as well, but then what's the point
of using autoconfiguration in IPv6.
Between Tembo and Twiga this does not pose a problem, because there is a
route via Simba (using Simba's link-local address). Simba is known, because
of its router sollicitation messages on ff02:: multicast addresses. Twiga
should also lose contact with Tembo (neighbor discovery fails), but since
Simba has a static route to Tembo, it doesn't mind.
Opening up the firewall/gateway to the networks poses a security risk. Maybe
this situation should be documented somewhere in the firewall documentation?
(If only to show people how to solve this problem when they get to it.)
If anyone knows a better solution (one that doesn't expose the firewall),
please tell me.
Rogier Steehouder
Stagiair KPN Research
mailto:r.j.steehouder@kpn.com
(If it bounces, try mailto:r.j.steehouder@student.utwente.nl)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?59063B5B4D98D311BC0D0001FA7E45220369D2CB>