From owner-freebsd-ipfw@freebsd.org Sun Jun 16 19:08:51 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5E66415C6BA9 for ; Sun, 16 Jun 2019 19:08:51 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward103j.mail.yandex.net (forward103j.mail.yandex.net [5.45.198.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AA9F78C0B3 for ; Sun, 16 Jun 2019 19:08:49 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback13j.mail.yandex.net (mxback13j.mail.yandex.net [IPv6:2a02:6b8:0:1619::88]) by forward103j.mail.yandex.net (Yandex) with ESMTP id 0902A6740D77; Sun, 16 Jun 2019 22:08:41 +0300 (MSK) Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [2a02:6b8:0:1a2d::25]) by mxback13j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id DBrEfWMZz8-8eq4a93H; Sun, 16 Jun 2019 22:08:41 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1560712121; bh=HMbBLd1AEQ6ovp8Ead+ScVWAIKqelatev1QldpPAYug=; h=In-Reply-To:From:Date:References:To:Subject:Message-ID; b=luoGUqfrOdsNbBEscFc7VXIwecMXlqb+UlBmO52t1b+CMXdMa5/ppserv1AwoSyGN vwcGi6ggD5uHISi/dWdjV1+3WpqIyx5PR5a9c3LgC8os7xvgesAqTQsa1/O11YJFtP q16Vp+a7LUabZUt+Y9KAG9YUHBVXWs8VhjrxrBLk= Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id R415zc7h9m-8erisFC2; Sun, 16 Jun 2019 22:08:40 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) Subject: Re: ipfw: switching sets does stall the machine To: Peter , freebsd-ipfw@freebsd.org References: <20190614153302.GA4503@gate.oper.dinoex.org> <20190614172018.GJ1219@albert.catwhisker.org> <20190614201317.GA8840@gate.oper.dinoex.org> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata= mQENBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB AAG0JUFuZHJleSBWLiBFbHN1a292IDxidTdjaGVyQHlhbmRleC5ydT6JATgEEwECACIFAkwB F1kCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEAHF6gQQyKF6qmYIAI6ekfm1VA4T vqankI1ISE6ku4jV7UlpIQlEbE7/8n3Zd6teJ+pGOQhN5qk8QE7utdPdbktAzi+x7LIJVzUw 4TywZLXGrkP7VKYkfg6oyCGyzITghefQeJtr2TN4hYCkzPWpylkue8MtmqfZv/6royqwTbN+ +E09FQNvTgRUYJYTeQ1qOsxNRycwvw3dr2rOfuxShbzaHBB1pBIjGrMg8fC5pd65ACH5zuFV A0CoTNGMDrEZSfBkTW604UUHFFXeCoC3dwDZRKOWJ3GmMXns65Ai5YkA63BSHEE1Qle3VBhd cG1w0CB5FBV3pB27UVnf0jEbysrDqW4qN7XMRFSWNAy5AQ0ETAEXWQEIAJ2p6l9LBoqdH/0J PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+ LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAYkBHwQYAQIACQUCTAEXWQIbDAAK CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i Message-ID: <083acaaf-6262-f582-11ad-71623a88786b@yandex.ru> Date: Sun, 16 Jun 2019 22:06:40 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190614201317.GA8840@gate.oper.dinoex.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="HSv7hwntSvzXBlssvXxVb2TjLONopPRZM" X-Rspamd-Queue-Id: AA9F78C0B3 X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yandex.ru header.s=mail header.b=luoGUqfr; dmarc=pass (policy=none) header.from=yandex.ru; spf=pass (mx1.freebsd.org: domain of bu7cher@yandex.ru designates 5.45.198.246 as permitted sender) smtp.mailfrom=bu7cher@yandex.ru X-Spamd-Result: default: False [-8.94 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:5.45.192.0/19]; FREEMAIL_FROM(0.00)[yandex.ru]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[yandex.ru:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[yandex.ru,none]; MX_GOOD(-0.01)[mx.yandex.ru,mx.yandex.ru,mx.yandex.ru,mx.yandex.ru,mx.yandex.ru]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.994,0]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-1.74)[ipnet: 5.45.192.0/18(-4.92), asn: 13238(-3.78), country: RU(0.01)]; MIME_TRACE(0.00)[0:+,1:+,2:+]; FREEMAIL_ENVFROM(0.00)[yandex.ru]; ASN(0.00)[asn:13238, ipnet:5.45.192.0/18, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[246.198.45.5.list.dnswl.org : 127.0.5.1]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[yandex.ru:s=mail]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_LOW(-1.00)[yandex.ru.dwl.dnswl.org : 127.0.5.1]; TO_MATCH_ENVRCPT_SOME(0.00)[] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jun 2019 19:08:51 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --HSv7hwntSvzXBlssvXxVb2TjLONopPRZM Content-Type: multipart/mixed; boundary="Y4Pw7DtZV0Y1RDOhmXYHikMBGmYlHg1K5"; protected-headers="v1" From: "Andrey V. Elsukov" To: Peter , freebsd-ipfw@freebsd.org Message-ID: <083acaaf-6262-f582-11ad-71623a88786b@yandex.ru> Subject: Re: ipfw: switching sets does stall the machine References: <20190614153302.GA4503@gate.oper.dinoex.org> <20190614172018.GJ1219@albert.catwhisker.org> <20190614201317.GA8840@gate.oper.dinoex.org> In-Reply-To: <20190614201317.GA8840@gate.oper.dinoex.org> --Y4Pw7DtZV0Y1RDOhmXYHikMBGmYlHg1K5 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 14.06.2019 23:13, Peter wrote: > 2. There are dynamic rules involved. These do not disappear on a > "set disable". They stay and continue to function - somehow. > > 3. When a packet successfully matches a check-state, it does NOT > continue to be processed at the rule following that check-state. > Instead, it does continue to be processed at the place after > the parent keep-state rule that was originally matched! >=20 > But what if that keep-state rule is now disabled, and the new > rules do not line up in their numbering in the exact same way? > Then this packet appears at some arbitrary place in the rule > list and may go to whereever. Dynamic rules use only "action" part of parent rule, so when dynamic state is "applied" to a packet, it just executes action of parent rule without checking the set to which belongs the rule. But then, if a packet processing is continued, the next rule checked from the beginning, and thus its set is checked. > Obviousely this is not an issue if you do keep-state with simple > Allow or Deny rules - then the packets leave the system after > matching. > But such simple keep-state do not work with NAT. For NAT one needs > a more elaborate approach, like tagging and branching and > subroutine calling. > =20 > So the outcome is:=20 > =20 > When switching sets with such a configuration that introduces > branches and subroutines, the old and new rules need to precisely > line up to each other, so that the old dynamic rules (which should > be kept for the network sessions to persist) can reinsert their > matched packets at places where correct further processing happens. >=20 > Doesn't seem like an easy task... You may try 11.3-BETA where new implementation of dyn_keep_states was committed. When you set net.inet.ip.fw.dyn_keep_states=3D1, the dynamic states aren't deleted with their parents rules. They are kept until expiring or explicit deletion (with -D flag). But the next rule for states that don't stop packet processing is the last rule. This is probably will not fit your requirements. --=20 WBR, Andrey V. Elsukov --Y4Pw7DtZV0Y1RDOhmXYHikMBGmYlHg1K5-- --HSv7hwntSvzXBlssvXxVb2TjLONopPRZM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl0Gk0UACgkQAcXqBBDI oXqSHQgAlAo/VOGNIFN746D/jdBgsoKPHpfvN6V4ICtXsHaqgs3StKZLAJTcWWJt VUMRpgFs5hahdnn/VzASxIWQICmJCBL7wYm7ZITb9A+c1Uj8oPbykv+CENDNbAGX +AM57VY38AEyeca7IgryCTC1+H0AuNS5b9VQ++aWuvFpAFGm5EaJfcxuCK5cx7hw 4+CXx90MhA0Lt68MIR4bRhfz2SDj7Fr9pBVxran5lVFY3OV/78wnNRdbXmqvpmb/ bJad20SN+hKAywDpGMNdUd5Ugd9XcPL++nFwhDsI654X0VLg2TYcV7qwj5GVexQN DWhcV6wiQfYDaH3FNufQcYwknig5eg== =D+Sw -----END PGP SIGNATURE----- --HSv7hwntSvzXBlssvXxVb2TjLONopPRZM-- From owner-freebsd-ipfw@freebsd.org Sun Jun 16 21:02:00 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 24BB015C983C for ; Sun, 16 Jun 2019 21:02:00 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id D19AA6819F for ; Sun, 16 Jun 2019 21:01:59 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id 9212E15C9838; Sun, 16 Jun 2019 21:01:59 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7E42E15C9837 for ; Sun, 16 Jun 2019 21:01:59 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 17CBA68198 for ; Sun, 16 Jun 2019 21:01:59 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 524ED1CDE2 for ; Sun, 16 Jun 2019 21:01:58 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x5GL1wAj059702 for ; Sun, 16 Jun 2019 21:01:58 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x5GL1vx1059668 for ipfw@FreeBSD.org; Sun, 16 Jun 2019 21:01:57 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201906162101.x5GL1vx1059668@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: ipfw@FreeBSD.org Subject: Problem reports for ipfw@FreeBSD.org that need special attention Date: Sun, 16 Jun 2019 21:01:57 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jun 2019 21:02:00 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- New | 215875 | [ipfw] ipfw lookup tables do not support mbuf_tag New | 232764 | [ipfw] share/examples/ipfw/change_rules.sh: Suppo 2 problems total for which you should take action. From owner-freebsd-ipfw@freebsd.org Sun Jun 16 21:13:14 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C7F7C15CA852 for ; Sun, 16 Jun 2019 21:13:14 +0000 (UTC) (envelope-from pmc@citylink.dinoex.sub.org) Received: from uucp.dinoex.org (uucp.dinoex.sub.de [IPv6:2001:1440:5001:1::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "uucp.dinoex.sub.de", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1AE286A236 for ; Sun, 16 Jun 2019 21:13:13 +0000 (UTC) (envelope-from pmc@citylink.dinoex.sub.org) Received: from uucp.dinoex.sub.de (uucp.dinoex.sub.de [194.45.71.2]) by uucp.dinoex.org (8.16.0.41/8.16.0.41) with ESMTPS id x5GLD5pV014941 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Sun, 16 Jun 2019 23:13:06 +0200 (CEST) (envelope-from pmc@citylink.dinoex.sub.org) Received: from citylink.dinoex.sub.org (uucp@localhost) by uucp.dinoex.sub.de (8.16.0.41/8.16.0.41/Submit) with UUCP id x5GLD5qp014940; Sun, 16 Jun 2019 23:13:05 +0200 (CEST) (envelope-from pmc@citylink.dinoex.sub.org) Received: from gate.oper.dinoex.org (gate-e [192.168.98.2]) by citylink.dinoex.sub.de (8.15.2/8.15.2) with ESMTP id x5GKaOno082708; Sun, 16 Jun 2019 22:36:25 +0200 (CEST) (envelope-from peter@gate.oper.dinoex.org) Received: from gate.oper.dinoex.org (gate-e [192.168.98.2]) by gate.oper.dinoex.org (8.15.2/8.15.2) with ESMTP id x5GKXwWP082374; Sun, 16 Jun 2019 22:33:58 +0200 (CEST) (envelope-from peter@gate.oper.dinoex.org) Received: (from peter@localhost) by gate.oper.dinoex.org (8.15.2/8.15.2/Submit) id x5GKXwsl082373; Sun, 16 Jun 2019 22:33:58 +0200 (CEST) (envelope-from peter) Date: Sun, 16 Jun 2019 22:33:58 +0200 From: Peter To: "Andrey V. Elsukov" Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw: switching sets does stall the machine Message-ID: <20190616203358.GA74004@gate.oper.dinoex.org> References: <20190614153302.GA4503@gate.oper.dinoex.org> <20190614172018.GJ1219@albert.catwhisker.org> <20190614201317.GA8840@gate.oper.dinoex.org> <083acaaf-6262-f582-11ad-71623a88786b@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <083acaaf-6262-f582-11ad-71623a88786b@yandex.ru> User-Agent: Mutt/1.11.4 (2019-03-13) X-Milter: Spamilter (Reciever: uucp.dinoex.sub.de; Sender-ip: 194.45.71.2; Sender-helo: uucp.dinoex.sub.de; ) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (uucp.dinoex.org [194.45.71.2]); Sun, 16 Jun 2019 23:13:09 +0200 (CEST) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jun 2019 21:13:15 -0000 On Sun, Jun 16, 2019 at 10:06:40PM +0300, Andrey V. Elsukov wrote: ! On 14.06.2019 23:13, Peter wrote: ! > 2. There are dynamic rules involved. These do not disappear on a ! > "set disable". They stay and continue to function - somehow. ! > ! > 3. When a packet successfully matches a check-state, it does NOT ! > continue to be processed at the rule following that check-state. ! > Instead, it does continue to be processed at the place after ! > the parent keep-state rule that was originally matched! ! > ! > But what if that keep-state rule is now disabled, and the new ! > rules do not line up in their numbering in the exact same way? ! > Then this packet appears at some arbitrary place in the rule ! > list and may go to whereever. ! ! Dynamic rules use only "action" part of parent rule, so when dynamic ! state is "applied" to a packet, it just executes action of parent rule ! without checking the set to which belongs the rule. Yes, that I understand. And they only disappear when the parent rule is deleted, not when it is disabled. Which actually is a good thing, as there are these items sitting on a database connection, and they tend to sit there forever: > 00594 9839 1363578 (216s) STATE tcp 192.168.98.3 45596 <-> 192.168.97.9 5432 :f35 > 00594 9275 35395116 (36s) STATE tcp 192.168.98.3 32565 <-> 192.168.97.9 5432 :f35 > 00713 829 3029042 (292s) STATE tcp 192.168.98.2 34036 <-> 192.168.97.9 5432 :f25 Actually these shouldn't be dynamic rules - but if they happen to be, things should still work. ! But then, if a packet processing is continued, the next rule checked ! from the beginning, and thus its set is checked. Processing seems to continue right behind the original parent rule - whatever tends to be there in some enabled set at that moment. ! You may try 11.3-BETA where new implementation of dyn_keep_states was ! committed. When you set net.inet.ip.fw.dyn_keep_states=1, the dynamic ! states aren't deleted with their parents rules. It appeared to me that this would already work in 11.2 - but there are a couple of other nice things appearing in 11.3, as it seems - e.g. a better differenciation between the statefulness and the action of a rule. Anyway,dyn_keep_states seems to point the processing to rule #65535, and that one does either allow or deny (without logging) - which is not what I need. I went a different way now (which was actually easier than I thought): I put all the stateful rules at the end of the list, so that it looks like that: ... 65491 0 0 count tag 65534 tcp from ... to ... setup keep-state :f72 65492 0 0 return ip from any to any 65493 0 0 count tag 65534 tcp from ... to ... setup keep-state :f66 65494 0 0 return ip from any to any 65495 0 0 count tag 65534 tcp from ... to ... setup keep-state :f70 65496 4178 220618 return ip from any to any 65497 0 0 count tag 65534 tcp from ... to ... setup keep-state :f65 65498 4178 220618 return ip from any to any ... Since this stucture will now always be at the end of the list, it does not harm to switch sets - the dynamic rules need just a "return", and will get one. And when switching between staging and production, I move all the old rules to an unused and disabled set, so that the ever-living dynamic stuff does not get disconnected. I don't know how many rules the whole thing can hold, but currently it seems to work that way. My background for the whole effort is this: after 15 years of manually maintaining a list of rules, I got very bored of it: this can be done by a machine, and man should not do machine's work. So I wrote a little engine that auto-generates the rules from the network diagram and required services. Now there can be an arbitrary number of NATs and forwards and anything at any place, and it should create correct rules to handle it all. But this requires a genuine approach to statefulness, where the dynamic rule is de-coupled from it's action; because the specific action can vary (e.g. when traversing a NAT in different directions). From owner-freebsd-ipfw@freebsd.org Tue Jun 18 20:00:48 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C1BE315C7497 for ; Tue, 18 Jun 2019 20:00:48 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AFB6E8C14D for ; Tue, 18 Jun 2019 20:00:47 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-qt1-x831.google.com with SMTP id y57so17020577qtk.4 for ; Tue, 18 Jun 2019 13:00:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=Yk8CiFs2Fn9gkpRGxuHvzzOcfi4iL/1rxhAuus7TzGE=; b=eRlvDj4DwMe0ayzmLvnia6r22X+SmxNo5THY1B64Rr5zbLso1luGR+btEVMwxmT95a bXHMBMQOLJp45bNBaV6M/ufVTYKq1CogrBfLMFv5cNy91NbMmJEjtVjnOTBot4U1UN5a PcVDh/SU5xUfBkJb8EQw9mTcTiVXPp6RhiKk3/NQVhEhOLFmDa2ylBNw8rTi5+rvWkBK naZkPKG7qu/+s+/tcUN4iBJ/b9Vnnio8gJxdBjMImH0nLKRzRWEDL8bluxL66SMICnmX ShlaI4xk0jMpnwZwyn7pcZOSYwKxVegtNqohF51GLgpcM0dpr7DgcLT2pNB7BicPvoN7 /O/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Yk8CiFs2Fn9gkpRGxuHvzzOcfi4iL/1rxhAuus7TzGE=; b=RnrPqBBpbL8G6MM2uWN+28D6MR73Rris7fBburW20EFLIKaX8Flc8qd+zTd+Uhht/E 59LflUckb2A71qyGRl0hgQYxZ1fOO4A0pC/SOkK4pYNWgPQq6lrKyo5SbiyGtyEvjFn4 QdcXW2JA9i2IAO6Ce/VltQ5DKRgizR8urbZNYhbvVTPiekxWMJJI8Z/nzwvID9EsK6C0 m493MOVrV5t/pUvSy3pi3nhF5xjSXgRD4eI1rD8oSVksxIHhYyERRbtUBx0o0tR3ELJi DY9Kyeq4eQXnstC6gw3KM82L9deBhCxepcBatJ/dH18I2l5sSVv6zue0/MkilkZcCM/M aG4A== X-Gm-Message-State: APjAAAWKEFC5qOJenUAAxJzc1DQ5fBQFlyNRJp87Taou1x5uJCzXS8W/ GAf0T1JDa9/ZZf1oKntEsPhYUwCFtukaxNBVacJUyO6fdIg= X-Google-Smtp-Source: APXvYqyS3hfSm57BSR1XPKWSmEAyAE0K0YgyAs72LwctDOK7QxVj7z6F/8ExJAgobgQu0Stb2i30U4Wb4qtMGgo1hmg= X-Received: by 2002:ac8:3014:: with SMTP id f20mr102194946qte.69.1560888046438; Tue, 18 Jun 2019 13:00:46 -0700 (PDT) MIME-Version: 1.0 From: Michael Sierchio Date: Tue, 18 Jun 2019 13:00:10 -0700 Message-ID: Subject: Look for an ipfw example using NPTv6 To: "freebsd-ipfw@freebsd.org" X-Rspamd-Queue-Id: AFB6E8C14D X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tenebras-com.20150623.gappssmtp.com header.s=20150623 header.b=eRlvDj4D X-Spamd-Result: default: False [-6.24 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[tenebras-com.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ipfw@freebsd.org]; DMARC_NA(0.00)[tenebras.com]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(-2.99)[ip: (-9.40), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.32), country: US(-0.06)]; MX_GOOD(-0.01)[cached: alt1.aspmx.l.google.com]; DKIM_TRACE(0.00)[tenebras-com.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[1.3.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; NEURAL_HAM_SHORT(-0.94)[-0.940,0]; TO_DN_EQ_ADDR_ALL(0.00)[]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 20:00:49 -0000 I'm looking for a simple firewall example using nptv6 to translate link-local addresses to match the prefix assigned by my ISP. I'll be using stateful rules and allowing only outbound traffic. If you have a snippet, I'l be grateful. Thanks. --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata From owner-freebsd-ipfw@freebsd.org Tue Jun 18 22:53:43 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4734615CB3C3 for ; Tue, 18 Jun 2019 22:53:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id D593C6AD6D for ; Tue, 18 Jun 2019 22:53:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 9901915CB3C2; Tue, 18 Jun 2019 22:53:42 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 877CF15CB3C1 for ; Tue, 18 Jun 2019 22:53:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 268F66AD6B for ; Tue, 18 Jun 2019 22:53:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 7C87D17E5A for ; Tue, 18 Jun 2019 22:53:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x5IMrfne037845 for ; Tue, 18 Jun 2019 22:53:41 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x5IMrfm9037844 for ipfw@FreeBSD.org; Tue, 18 Jun 2019 22:53:41 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added Date: Tue, 18 Jun 2019 22:53:41 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 12.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 22:53:43 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238694 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |ipfw@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Wed Jun 19 11:26:34 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 25A6615B4B1A for ; Wed, 19 Jun 2019 11:26:34 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward105p.mail.yandex.net (forward105p.mail.yandex.net [77.88.28.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AF34B881AE for ; Wed, 19 Jun 2019 11:26:32 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback5g.mail.yandex.net (mxback5g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:166]) by forward105p.mail.yandex.net (Yandex) with ESMTP id 634624D40A63; Wed, 19 Jun 2019 14:26:30 +0300 (MSK) Received: from smtp2o.mail.yandex.net (smtp2o.mail.yandex.net [2a02:6b8:0:1a2d::26]) by mxback5g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id q8LCtMT4Pf-QTcum7Pq; Wed, 19 Jun 2019 14:26:30 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1560943590; bh=bE35dawlKWo95qjMkxezOg6Gki5XJiQ0NgxpNGhI7rQ=; h=In-Reply-To:From:Date:References:To:Subject:Message-ID; b=m05C8CSGTg7FAG8VTXTh3TNZLMjiJZPbWL+ZJUZDCDgjz2FCq32EdDa6mytDwFzFU QZ9ikjiOrCryctcvVilr2tKWhhI/Wpftr63pQLgXUdaxBZK92gUuj/vjhOK6wFFE7+ NZDZsBEWPdMPey7GIi0QXDeqrQhSR/lzPvSRuCKE= Received: by smtp2o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id EhIKxMY11z-QTq8C4YH; Wed, 19 Jun 2019 14:26:29 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) Subject: Re: Look for an ipfw example using NPTv6 To: Michael Sierchio , "freebsd-ipfw@freebsd.org" References: From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata= mQENBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB AAG0JUFuZHJleSBWLiBFbHN1a292IDxidTdjaGVyQHlhbmRleC5ydT6JATgEEwECACIFAkwB F1kCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEAHF6gQQyKF6qmYIAI6ekfm1VA4T vqankI1ISE6ku4jV7UlpIQlEbE7/8n3Zd6teJ+pGOQhN5qk8QE7utdPdbktAzi+x7LIJVzUw 4TywZLXGrkP7VKYkfg6oyCGyzITghefQeJtr2TN4hYCkzPWpylkue8MtmqfZv/6royqwTbN+ +E09FQNvTgRUYJYTeQ1qOsxNRycwvw3dr2rOfuxShbzaHBB1pBIjGrMg8fC5pd65ACH5zuFV A0CoTNGMDrEZSfBkTW604UUHFFXeCoC3dwDZRKOWJ3GmMXns65Ai5YkA63BSHEE1Qle3VBhd cG1w0CB5FBV3pB27UVnf0jEbysrDqW4qN7XMRFSWNAy5AQ0ETAEXWQEIAJ2p6l9LBoqdH/0J PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+ LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAYkBHwQYAQIACQUCTAEXWQIbDAAK CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i Message-ID: Date: Wed, 19 Jun 2019 14:24:19 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="dWNMHend01tn2DI8nrbev84EKswkAdHn9" X-Rspamd-Queue-Id: AF34B881AE X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yandex.ru header.s=mail header.b=m05C8CSG; dmarc=pass (policy=none) header.from=yandex.ru; spf=pass (mx1.freebsd.org: domain of bu7cher@yandex.ru designates 77.88.28.108 as permitted sender) smtp.mailfrom=bu7cher@yandex.ru X-Spamd-Result: default: False [-8.85 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[yandex.ru]; R_SPF_ALLOW(-0.20)[+ip4:77.88.0.0/18]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[yandex.ru:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[yandex.ru,none]; MX_GOOD(-0.01)[mx.yandex.ru,mx.yandex.ru,mx.yandex.ru,mx.yandex.ru,mx.yandex.ru]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.994,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+]; FREEMAIL_ENVFROM(0.00)[yandex.ru]; ASN(0.00)[asn:13238, ipnet:77.88.0.0/18, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[108.28.88.77.list.dnswl.org : 127.0.5.1]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[yandex.ru:s=mail]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_LOW(-1.00)[yandex.ru.dwl.dnswl.org : 127.0.5.1]; TO_MATCH_ENVRCPT_SOME(0.00)[]; IP_SCORE(-1.65)[ipnet: 77.88.0.0/18(-4.48), asn: 13238(-3.76), country: RU(0.01)]; RWL_MAILSPIKE_POSSIBLE(0.00)[108.28.88.77.rep.mailspike.net : 127.0.0.17] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 11:26:34 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --dWNMHend01tn2DI8nrbev84EKswkAdHn9 Content-Type: multipart/mixed; boundary="0lAjtDqmyBYoWD6CvrvRimuWNElFQVEsU"; protected-headers="v1" From: "Andrey V. Elsukov" To: Michael Sierchio , "freebsd-ipfw@freebsd.org" Message-ID: Subject: Re: Look for an ipfw example using NPTv6 References: In-Reply-To: --0lAjtDqmyBYoWD6CvrvRimuWNElFQVEsU Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 18.06.2019 23:00, Michael Sierchio wrote: > I'm looking for a simple firewall example using nptv6 to translate > link-local addresses to match the prefix assigned by my ISP. I'll be u= sing > stateful rules and allowing only outbound traffic. >=20 > If you have a snippet, I'l be grateful. Thanks. NPTv6 module is targeted to translate routed traffic. IPv6 link-local addresses are not forward-able. Thus you can not configure nptv6 instance with such prefix. --=20 WBR, Andrey V. Elsukov --0lAjtDqmyBYoWD6CvrvRimuWNElFQVEsU-- --dWNMHend01tn2DI8nrbev84EKswkAdHn9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl0KG2MACgkQAcXqBBDI oXqBCQf/bkRcfLMJQkl2U1WZSqq9rIx7t80oAohGyu735sb0/sPRlftn1fu+2GzZ a7Pk5+XVzIHbCmvhkG6bW8YxEMgcstevOgrqA9L0+5jjeGn9s97OjJGWEuzkffAj zdrpM/RJ5DrPcKR3GJueNN7LssGbhtQ0T4ou38VQ24J8kW1rMOQ73Fq0nnkARasS LRA9qflKtxbUgoWcRN+k7JncCjItPrCpdg7gcKiyRUMw3usBoLIeiyzkvAQ62Zt9 jMjGJVgo8tCrLj1fxEZ8ETfJhYPx4KYh2iTYV+AEW5DmaEZcH+rd9DKhevusxqpM i9kA04WTzGifOhFpjEbWfmeghDms5g== =Wz9A -----END PGP SIGNATURE----- --dWNMHend01tn2DI8nrbev84EKswkAdHn9-- From owner-freebsd-ipfw@freebsd.org Wed Jun 19 16:09:58 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4EAE115BD3A0 for ; Wed, 19 Jun 2019 16:09:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id C24896C7E4 for ; Wed, 19 Jun 2019 16:09:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 7C42515BD39E; Wed, 19 Jun 2019 16:09:57 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 68EB315BD39D for ; Wed, 19 Jun 2019 16:09:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 01A936C7E0 for ; Wed, 19 Jun 2019 16:09:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 39E3D1137 for ; Wed, 19 Jun 2019 16:09:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x5JG9uDM055562 for ; Wed, 19 Jun 2019 16:09:56 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x5JG9u09055561 for ipfw@FreeBSD.org; Wed, 19 Jun 2019 16:09:56 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added Date: Wed, 19 Jun 2019 16:09:56 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 12.0-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rgrimes@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc keywords Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 16:09:58 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238694 Rodney W. Grimes changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rgrimes@FreeBSD.org Keywords| |regression --- Comment #1 from Rodney W. Grimes --- I concur that this is in fact a bug in the /etc/rc.firewall script. It is = NOT a bug in the documentation. The documentation is correct, the behavior of = the script is wrong. I suggest that the "mandatory" stuff that is always done is simply wrong to= be always done, if in fact a file type script is being invoked I may very much want those "mandatory" rules in a different place and shall be allowed to do so. Further this is a change in past behavior causing a POLA violation. Had I been using firewall_type rather than firewall_script to point to my custom firewall this would of bit me too, and in not very pleasant ways. Besides, they are not actually mandatory from anything I can even remotely imagine. Technically you should even be able to remove lo0, but *sigh* that has also degerated over the years, as has hard coded 127.0.0.1 and ::1, whi= ch is a royal PITA for some. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Wed Jun 19 17:04:27 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D35F315BFC9A for ; Wed, 19 Jun 2019 17:04:26 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A36897031C for ; Wed, 19 Jun 2019 17:04:25 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-qt1-x830.google.com with SMTP id d17so15821949qtj.8 for ; Wed, 19 Jun 2019 10:04:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=su3Q/AuWsxsFiYs3mtUdPKgIZkPtkTXcbr5KKX0LfK0=; b=UYXwXz7DwmHgoFjPwcJo3YHoBOuVHZMGawlzZKu4EIZj8WxXIDNk60/49gin0wlK2n iwg2CyR/BDV7PMgAYWVsR3bvpYBelHH2PLhm7BcGkielIG8hMXZMC0wZMtxBsIMZcELj CUWoXnZWzDHzKxIyRBHEZ0bszG9FUm3Bq6hGCf4bNQSNLB/QBSklscgwS1fJyVc2y0KS /rsEWzAmR8l4awGScDacIw9LZJ1/YgES62FVHVqC3nkDrQm7vMD7l7dqQBuuR390LOA6 sXo2n5KJimbrLkapUXtEpDbwcFQ+DpelIpu/3vF2PXMm11hkU2zSrCh95OyoHTQSbRs6 DfhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=su3Q/AuWsxsFiYs3mtUdPKgIZkPtkTXcbr5KKX0LfK0=; b=udflHNxhXzG5II2+dtUW3rhfSGlmneT/FhJc81NzzlytgZbRZbEEKP7rF/+oVY78gy X8AYCUxiGMtKej6fEmHgt5nvAk1t2i2ll+wD5BDBFRnXG6FrlZjZPI7Dm/LMHDsgeJ1E Hkhbz108sKfy8Tyn6IEx/Pjo47vRq4+TW/RWKkgDNWd84uHBY0xc2A3DkHmBMrCVBDxc KwEfgt1UouoqnIiqFn+fM8no6lbodD5ULer+HiiOMV7zKjTnyjkRbb2UTwTdOq0NVlV5 to5y33RuUrRSLG+6dlJlofJXLvvDGAetiMC8JExCmB/sJrXzadvbVM626++yew9J3Jm1 gRfA== X-Gm-Message-State: APjAAAVwAGqWpGAvMEWr/HhJJniY3GxUR2R2WmpHQzixai3OBBYkEZof FSf3P8rYnOD9+JRQCKxZmpOPJlJqYNv+LfDxK3bdgQ== X-Google-Smtp-Source: APXvYqyMjGh5rw7QIIYj0St4IWtbHp0uhxPju3H/JeFedqz2rwWAXplH5UEfsMBOJPcz2GSkXqp02PiXkXmYXnGeiwI= X-Received: by 2002:a0c:e6a2:: with SMTP id j2mr32726504qvn.190.1560963864917; Wed, 19 Jun 2019 10:04:24 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Michael Sierchio Date: Wed, 19 Jun 2019 10:03:48 -0700 Message-ID: Subject: Re: Look for an ipfw example using NPTv6 To: "Andrey V. Elsukov" Cc: "freebsd-ipfw@freebsd.org" X-Rspamd-Queue-Id: A36897031C X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tenebras-com.20150623.gappssmtp.com header.s=20150623 header.b=UYXwXz7D X-Spamd-Result: default: False [-6.28 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; DKIM_TRACE(0.00)[tenebras-com.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; MX_GOOD(-0.01)[alt1.aspmx.l.google.com,aspmx.l.google.com,aspmx2.googlemail.com,alt2.aspmx.l.google.com,aspmx3.googlemail.com]; FREEMAIL_TO(0.00)[yandex.ru]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; IP_SCORE(-2.98)[ip: (-9.39), ipnet: 2607:f8b0::/32(-3.13), asn: 15169(-2.30), country: US(-0.06)]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[tenebras-com.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.991,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ipfw@freebsd.org]; DMARC_NA(0.00)[tenebras.com]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[0.3.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; R_SPF_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 17:04:27 -0000 Are you saying NPTv6 cannot rewrite a LL prefix to a public prefix, such as the one held on the external interface? On Wed, Jun 19, 2019 at 4:26 AM Andrey V. Elsukov wrote= : > On 18.06.2019 23:00, Michael Sierchio wrote: > > I'm looking for a simple firewall example using nptv6 to translate > > link-local addresses to match the prefix assigned by my ISP. I'll be > using > > stateful rules and allowing only outbound traffic. > > > > If you have a snippet, I'l be grateful. Thanks. > > NPTv6 module is targeted to translate routed traffic. IPv6 link-local > addresses are not forward-able. Thus you can not configure nptv6 > instance with such prefix. > > -- > WBR, Andrey V. Elsukov > > --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata From owner-freebsd-ipfw@freebsd.org Wed Jun 19 17:09:03 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DE5AD15BFEC1 for ; Wed, 19 Jun 2019 17:09:02 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward103o.mail.yandex.net (forward103o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::606]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9FA8C7051C for ; Wed, 19 Jun 2019 17:09:01 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback2j.mail.yandex.net (mxback2j.mail.yandex.net [IPv6:2a02:6b8:0:1619::10b]) by forward103o.mail.yandex.net (Yandex) with ESMTP id 0FA6A5F80FC3; Wed, 19 Jun 2019 20:08:51 +0300 (MSK) Received: from smtp2o.mail.yandex.net (smtp2o.mail.yandex.net [2a02:6b8:0:1a2d::26]) by mxback2j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id pqLKn8nLLm-8ocebtfx; Wed, 19 Jun 2019 20:08:51 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1560964131; bh=DBCLzVfyWmSzQfulfBBX/b7iVbNJSA5JITsTtZeQ9Hs=; h=In-Reply-To:From:To:Subject:Cc:Date:References:Message-ID; b=uqVj97bSTp1pPIdSdDP4tE+7x251Jqj8vwkxK+nJURaYdWimNoeACMpAx6PL2ssd4 z1X8wirSzyQQUul+GUdUso4epENWBsCM4Z6ByI0QxEhFZW05zFVG3wSxhBIMjB1t20 M2bXkveAv3e4+eLbF499qr8OY0GFHN627g0TbRi8= Received: by smtp2o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id c6qlHCsTpa-8oSqmKmk; Wed, 19 Jun 2019 20:08:50 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) Subject: Re: Look for an ipfw example using NPTv6 To: Michael Sierchio Cc: "freebsd-ipfw@freebsd.org" References: From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata= mQENBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB AAG0JUFuZHJleSBWLiBFbHN1a292IDxidTdjaGVyQHlhbmRleC5ydT6JATgEEwECACIFAkwB F1kCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEAHF6gQQyKF6qmYIAI6ekfm1VA4T vqankI1ISE6ku4jV7UlpIQlEbE7/8n3Zd6teJ+pGOQhN5qk8QE7utdPdbktAzi+x7LIJVzUw 4TywZLXGrkP7VKYkfg6oyCGyzITghefQeJtr2TN4hYCkzPWpylkue8MtmqfZv/6royqwTbN+ +E09FQNvTgRUYJYTeQ1qOsxNRycwvw3dr2rOfuxShbzaHBB1pBIjGrMg8fC5pd65ACH5zuFV A0CoTNGMDrEZSfBkTW604UUHFFXeCoC3dwDZRKOWJ3GmMXns65Ai5YkA63BSHEE1Qle3VBhd cG1w0CB5FBV3pB27UVnf0jEbysrDqW4qN7XMRFSWNAy5AQ0ETAEXWQEIAJ2p6l9LBoqdH/0J PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+ LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAYkBHwQYAQIACQUCTAEXWQIbDAAK CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i Message-ID: <4f0bcdc7-68d7-bbc4-7825-384fe73696c3@yandex.ru> Date: Wed, 19 Jun 2019 20:06:43 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="EvCCwTGpcTNWsFLDAX6UhbKEUtEmLzZJp" X-Rspamd-Queue-Id: 9FA8C7051C X-Spamd-Bar: ---------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yandex.ru header.s=mail header.b=uqVj97bS; dmarc=pass (policy=none) header.from=yandex.ru; spf=pass (mx1.freebsd.org: domain of bu7cher@yandex.ru designates 2a02:6b8:0:1a2d::606 as permitted sender) smtp.mailfrom=bu7cher@yandex.ru X-Spamd-Result: default: False [-10.83 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[yandex.ru]; R_SPF_ALLOW(-0.20)[+ip6:2a02:6b8:0:1a2d::/64]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[yandex.ru:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[yandex.ru,none]; MX_GOOD(-0.01)[cached: mx.yandex.ru]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.994,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+]; FREEMAIL_ENVFROM(0.00)[yandex.ru]; ASN(0.00)[asn:13238, ipnet:2a02:6b8::/32, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[6.0.6.0.0.0.0.0.0.0.0.0.0.0.0.0.d.2.a.1.0.0.0.0.8.b.6.0.2.0.a.2.list.dnswl.org : 127.0.5.1]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[yandex.ru:s=mail]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_LOW(-1.00)[yandex.ru.dwl.dnswl.org : 127.0.5.1]; TO_MATCH_ENVRCPT_SOME(0.00)[]; IP_SCORE(-3.62)[ip: (-9.67), ipnet: 2a02:6b8::/32(-4.70), asn: 13238(-3.76), country: RU(0.01)] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 17:09:03 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --EvCCwTGpcTNWsFLDAX6UhbKEUtEmLzZJp Content-Type: multipart/mixed; boundary="Lq2vbG8cT17s44DEtOTpGhDOzYhDBPlor"; protected-headers="v1" From: "Andrey V. Elsukov" To: Michael Sierchio Cc: "freebsd-ipfw@freebsd.org" Message-ID: <4f0bcdc7-68d7-bbc4-7825-384fe73696c3@yandex.ru> Subject: Re: Look for an ipfw example using NPTv6 References: In-Reply-To: --Lq2vbG8cT17s44DEtOTpGhDOzYhDBPlor Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 19.06.2019 20:03, Michael Sierchio wrote: > On 18.06.2019 23:00, Michael Sierchio wrote: > > I'm looking for a simple firewall example using nptv6 to translat= e > > link-local addresses to match the prefix assigned by my ISP.=C2=A0= I'll > be using > > stateful rules and allowing only outbound traffic. > > > > If you have a snippet, I'l be grateful.=C2=A0 Thanks. >=20 > NPTv6 module is targeted to translate routed traffic. IPv6 link-loc= al > addresses are not forward-able. Thus you can not configure nptv6 > instance with such prefix. > Are you saying NPTv6 cannot rewrite a LL prefix to a public prefix, suc= h > as the one held on the external interface? Yes. Link-local address must belong to the single "link", IPv6 scoped addresses architecture doesn't allow forward packets with link-local addresses from one link to another. --=20 WBR, Andrey V. Elsukov --Lq2vbG8cT17s44DEtOTpGhDOzYhDBPlor-- --EvCCwTGpcTNWsFLDAX6UhbKEUtEmLzZJp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl0Ka6MACgkQAcXqBBDI oXrDFAgAmVn9APiKb6GPJr99pK1mcMp8vsp3BxFnmY9MwGK2TD1rJpEL+g9si8Pz NnEe4a87aqWHgL467ePZMSld4tark3dVTen70uoReV/MCRlvDQuECBTd7oFCObBl e0rz+s9e2UIjPeYlMxOeO0CJiMYgVhmeragiXSJc4PPkJPOw+2MVhAXHcBJu9pyg qcBIYbKZ89L2tQMaOR9HfwSRNvLaVQEc8fCvw2igfx9J+2NVZXTs0qdHbo5b2bXx 9s2QRkrCafQwPEV+BlCe5VJQG6AUuM8tjtGl5JoDTGTEjqZkfhKqinVSsdUrdkd1 g9UE/N5xiPP2Gfw9+AC5qoNaF76syQ== =bqfH -----END PGP SIGNATURE----- --EvCCwTGpcTNWsFLDAX6UhbKEUtEmLzZJp-- From owner-freebsd-ipfw@freebsd.org Wed Jun 19 22:05:14 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3807115CB5C0 for ; Wed, 19 Jun 2019 22:05:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id C7DC084E57 for ; Wed, 19 Jun 2019 22:05:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 8798015CB5BF; Wed, 19 Jun 2019 22:05:13 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 75DB515CB5BE for ; Wed, 19 Jun 2019 22:05:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1247784E55 for ; Wed, 19 Jun 2019 22:05:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 539F14735 for ; Wed, 19 Jun 2019 22:05:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x5JM5CAj094984 for ; Wed, 19 Jun 2019 22:05:12 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x5JM5Ckt094983 for ipfw@FreeBSD.org; Wed, 19 Jun 2019 22:05:12 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added Date: Wed, 19 Jun 2019 22:05:11 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 12.0-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rkoberman@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 22:05:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238694 rkoberman@gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rkoberman@gmail.com --- Comment #2 from rkoberman@gmail.com --- It is not a bug as it is mandatory for IPv6 support. Without those rules, t= he network startup will hang. If IPv6 is disabled, it ould be best if those ru= les were NOT added and that might be a bug, but, assuming the default setting of deny_by_default, the firewall is always started before the network and deny_by_default will block ICMPv6 resulting in the system startup never completing. I concede that this needs to be clearly documented, but the behavior is mandatory. like the localhost name, loopback configurtion, and the terminal "65535 deny ip from any to any" for deny-by-default, these are simply requi= red or normal network operations. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Wed Jun 19 23:04:02 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE2EB15CC7DD for ; Wed, 19 Jun 2019 23:04:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 484B386E5D for ; Wed, 19 Jun 2019 23:04:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 0B9C115CC7DC; Wed, 19 Jun 2019 23:04:02 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EE2A615CC7DB for ; Wed, 19 Jun 2019 23:04:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8DFBE86E5A for ; Wed, 19 Jun 2019 23:04:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id E60834FBB for ; Wed, 19 Jun 2019 23:04:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x5JN40jP084243 for ; Wed, 19 Jun 2019 23:04:00 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x5JN40cI084242 for ipfw@FreeBSD.org; Wed, 19 Jun 2019 23:04:00 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added Date: Wed, 19 Jun 2019 23:04:01 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 12.0-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rgrimes@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 23:04:02 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238694 --- Comment #3 from Rodney W. Grimes --- (In reply to rkoberman from comment #2) Your ignoring the fact that though these rules MAY be needed the rc.firewall script can not know where and at what rule numbers they need to be to funct= ion correctly with my custom written firewall.script invoked by "firewall_type=3Dpathname". In my custom firewall the loopback rules are NOT at 100,200.. but are infact burried much deeper in other logic as running these rules for every packet = is a total waste of time since very little of my traffic is from or to lo0. Your also assuming that someone is running the stuff you mention, and that = is, as the Primary Reported has stated, and I have acknowledge, a bad assumptio= n. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Thu Jun 20 05:32:20 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 139A615D483A for ; Thu, 20 Jun 2019 05:32:20 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 88A5D6C0A6 for ; Thu, 20 Jun 2019 05:32:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 4BE8A15D4839; Thu, 20 Jun 2019 05:32:19 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 38AF715D4838 for ; Thu, 20 Jun 2019 05:32:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C28226C0A0 for ; Thu, 20 Jun 2019 05:32:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 0EFD78731 for ; Thu, 20 Jun 2019 05:32:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x5K5WHX3057694 for ; Thu, 20 Jun 2019 05:32:17 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x5K5WHb4057693 for ipfw@FreeBSD.org; Thu, 20 Jun 2019 05:32:17 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added Date: Thu, 20 Jun 2019 05:32:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 12.0-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rkoberman@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2019 05:32:20 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238694 --- Comment #4 from rkoberman@gmail.com --- Bottom line default requirements: 1. System firewall must start with a deny-by-default rule in place when net= work starts 2. Both IPv4 and IPv6 must start 3. Mandatory packets must be allowed from network starts This includes loop= back for both IPv4 and IPv6 as well as support for several ICMPv6 and group addresses that are mandatory for default IPv6 function. When I suggested starting the firewall after the network had started, I was immediately (and correctly) shut down because of the security vulnerability this presents. That is why it needs proper documentation so you can insert rules between those that are mandatory. With spacing of every 100, there is= a lot of room. I have no answer for the issue of efficiency via the ordering of rules. Whi= le the time required to process these rules is very small, it is not zero. (Da= rn close for the trivial, stateless rules, though.) Since I agree the way it is done now is totally non-transparent, the only solution I can see is proper documentation. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Thu Jun 20 05:50:35 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6589415D4A70 for ; Thu, 20 Jun 2019 05:50:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id F05B76C443 for ; Thu, 20 Jun 2019 05:50:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id B0DE915D4A6F; Thu, 20 Jun 2019 05:50:34 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8C9E315D4A6E for ; Thu, 20 Jun 2019 05:50:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 201006C43F for ; Thu, 20 Jun 2019 05:50:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 4739488A8 for ; Thu, 20 Jun 2019 05:50:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x5K5oXiC082983 for ; Thu, 20 Jun 2019 05:50:33 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x5K5oXOx082982 for ipfw@FreeBSD.org; Thu, 20 Jun 2019 05:50:33 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added Date: Thu, 20 Jun 2019 05:50:32 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 12.0-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rgrimes@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2019 05:50:35 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238694 --- Comment #5 from Rodney W. Grimes --- (In reply to rkoberman from comment #4) Your now implementing, or advocating implementing, policies that are simply= not within the scope of what FreeBSD should be implementing. I'll give you that your list of default requirements are valid, and correct, but the moment a user TOUCHES firewall_foo we are no longer in the default world, and we should fully respect what ever policy the user so chooses and should fully and correctly do so in the most painless way possible. If the user wishes to change things he shall be allowed to, otherwise we are driving him to go edit etc/rc.firewall and that is not the desired results. Furthermore this IS a regression in behavior, in the past we had no such ru= les being added in this case, and that more than anything is the reason we have this bug report at all and we should respect that as a true and valid issue. Bottom line, no one is advocating changing what the end results of the DEFA= ULT configuration is, we (I) are advocating that things be made properly flexib= le and backwards compatible, ie this users old and working configuration sudde= nly broke in unexpected ways and that is just bad. It is rather trivial to fix: case ${firewall_type} in (very long regex that matches all the known types) setup_loopback setup_ipv6_mandatory esac restored prior behavior and your "Requriements" have also been met. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Thu Jun 20 09:56:06 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E144B15B41D2 for ; Thu, 20 Jun 2019 09:56:06 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from mail.rlwinm.de (mail.rlwinm.de [IPv6:2a01:4f8:171:f902::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D8C2B731F6 for ; Thu, 20 Jun 2019 09:56:05 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from crest.bultmann.eu (unknown [IPv6:2a00:c380:c0d5:1:4a9:5b73:3a26:c73e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.rlwinm.de (Postfix) with ESMTPSA id 5418D6B82 for ; Thu, 20 Jun 2019 09:55:55 +0000 (UTC) Subject: Re: Look for an ipfw example using NPTv6 To: freebsd-ipfw@freebsd.org References: From: Jan Bramkamp Message-ID: <3629aeba-61ef-2cce-4971-c3a0ed973765@rlwinm.de> Date: Thu, 20 Jun 2019 11:55:54 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Rspamd-Queue-Id: D8C2B731F6 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of crest@rlwinm.de designates 2a01:4f8:171:f902::5 as permitted sender) smtp.mailfrom=crest@rlwinm.de X-Spamd-Result: default: False [-3.91 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.989,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ipfw@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; DMARC_NA(0.00)[rlwinm.de]; MX_GOOD(-0.01)[mail.rlwinm.de]; NEURAL_HAM_SHORT(-0.84)[-0.837,0]; IP_SCORE(-0.77)[ipnet: 2a01:4f8::/29(-2.08), asn: 24940(-1.78), country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2019 09:56:07 -0000 On 18.06.19 22:00, Michael Sierchio wrote: > I'm looking for a simple firewall example using nptv6 to translate > link-local addresses to match the prefix assigned by my ISP. I'll be using > stateful rules and allowing only outbound traffic. > > If you have a snippet, I'l be grateful. Thanks. > This sounds like you're trying to force IPv6 to behave like IPv4 with longer addresses and just replaced RFC1918 addresses with link local addresses. This isn't going to work because the differences are larger than just the addresses length. Link local addresses are just what the name says: they are local to the link. A link local address isn't even unique within a host e.g. you can have fe80::1234%em0 and fe80::1234%em1 on the same host. In theory you can get very close to NAT between global unicast addresses and private addresses by configuring NPTv6 between global unicast addresses and unique local addresses, but that would be a terrible choice. One of the great advantages of IPv6 it removes the address scarcity that forced NAT upon us. Each IPv6 device have as many global IPv6 unicast addresses as required. Would you feel comfortable to describe the constrains shaping your design to us? From owner-freebsd-ipfw@freebsd.org Thu Jun 20 13:39:19 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F390515BBF51 for ; Thu, 20 Jun 2019 13:39:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 4840581B11 for ; Thu, 20 Jun 2019 13:39:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 0B3FB15BBF4B; Thu, 20 Jun 2019 13:39:18 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EDBE815BBF48 for ; Thu, 20 Jun 2019 13:39:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8430481B0A for ; Thu, 20 Jun 2019 13:39:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id BCF02CCFF for ; Thu, 20 Jun 2019 13:39:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x5KDdGLR026296 for ; Thu, 20 Jun 2019 13:39:16 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x5KDdGE0026290 for ipfw@FreeBSD.org; Thu, 20 Jun 2019 13:39:16 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added Date: Thu, 20 Jun 2019 13:39:16 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 12.0-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: karl@denninger.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2019 13:39:19 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238694 karl@denninger.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |karl@denninger.net --- Comment #6 from karl@denninger.net --- Just a quick note on practicality in the real world. If you don't have an "ipfw -f flush" as the *first* element in your custom script file you're eventually going to get a nasty and unwanted surprise. = If you *do* have such as the first element of your custom script then whatever= was there before it executes is gone. I use the custom script myself and have since forever as my configuration in places where I need ipfw is quite complex, and when I moved to 12.x I noted= no change in behavior.... likely for this reason. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Thu Jun 20 14:36:03 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C747D15BD8E2 for ; Thu, 20 Jun 2019 14:36:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 48A478411C for ; Thu, 20 Jun 2019 14:36:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 0C21915BD8E0; Thu, 20 Jun 2019 14:36:02 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EEAC815BD8DE for ; Thu, 20 Jun 2019 14:36:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2CEF88410D for ; Thu, 20 Jun 2019 14:36:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 74766D5AF for ; Thu, 20 Jun 2019 14:36:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x5KEa0cG046412 for ; Thu, 20 Jun 2019 14:36:00 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x5KEa0B0046411 for ipfw@FreeBSD.org; Thu, 20 Jun 2019 14:36:00 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added Date: Thu, 20 Jun 2019 14:36:00 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 12.0-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rgrimes@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2019 14:36:03 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238694 --- Comment #7 from Rodney W. Grimes --- (In reply to karl from comment #6) I agree Karl, one does have to be very careful when hand crafting there own firewall. Most of mine do in fact use the simple flush, but there are other techniques, such as load the set of rules into a known empty set and do a s= et flip, complicated state management that knows how to incrementally remove a= nd add the proper sequence of rules, etc. I think the reason so very few reports exist about this bug is that we have= 2 ways to cause an external script to load, setting firewall_type=3D"/path/to= /file" and firewall_script=3D"/path/to/file". The second form always works exactl= y as we (we being I think all of us) expected it to, however the former now has = this wart that we get the, by my claim fake, loopback stuff. It is this wart th= at is at issue and we should solve that so the behavior of firewall_script=3D = and firewall_type=3Dpath are exactly the same. Can I get an agreement on that point? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Thu Jun 20 14:36:23 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CBF0815BD979 for ; Thu, 20 Jun 2019 14:36:23 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-qt1-x843.google.com (mail-qt1-x843.google.com [IPv6:2607:f8b0:4864:20::843]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6267B841A0 for ; Thu, 20 Jun 2019 14:36:22 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-qt1-x843.google.com with SMTP id h21so3348844qtn.13 for ; Thu, 20 Jun 2019 07:36:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Vvs7eXsqj+bpnblht18WgzbRGuggVI9YibybXoRL8NQ=; b=G54CbFHyRWhnbk/2tTW211NobCxCzZu4WQon6Esfe1k1L/ufv8VyvD3Hwh5i/wbAxR 9/ELPmQSglTrVuWCZly3SHBdEZpMLWl70OCrFrqr357vpVnSc7TVrGFkXf7YuRUayxDo xqGyBDe8t+mkAcpbKvIUdvGhT+oP74qE0g4oP7hh6XaMVhw4XhjdLcjaiR6SJcGRwk8C +L6bVdiEk3uCNszL0e3VqIFlpfshYhy772YDske1WO6y1j3QjGAWGZSOtbS/7CG0P205 qXEwAPVV8CL2wuCL1GVcGN/ByaOMhYHNAFLWPQk1yfukkmn8ZtLaNR/eZIxCqaHGe3pb NAeg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Vvs7eXsqj+bpnblht18WgzbRGuggVI9YibybXoRL8NQ=; b=jMOCnImlOQEmDXAd7AGBwJKi8XrRpoI8XoJwyZe+JnfM5BfpK2Ua8rZ4HCf5Yi8FJg dRmg0DSya6WzrT2e9W434yGI16z625a6JYxluN5Ij15fiixd0tjU5qWzYi3fjlRKqOKO 4uVww1hcKgJrpSU8DTAt0f6veau6/yxmCYgbC/7yQoig2bXRma3W/Nm1xuTmS1YnhUPv 5oi7VEZhLO6ipDg2P53RSoolRADjIPzg6wt+zFwcx9tlH/ZFo7fTkoyNMjlpSI42yCwI JQoaOe57kTqX3UFP2xqAYehS8GPlQNYieBH9gV9+CqXoKLBBDPMtw8k3QrfOSx7AG/wX hoKA== X-Gm-Message-State: APjAAAXS09haVF1iataVwsHjP87b1G3PWNegYTm3/5hzNp4U0FTKO7tE 21cTenPaRI6pe2nLBXip5rTJq4SxntJQDappJd0DHkCVAxE= X-Google-Smtp-Source: APXvYqyXiwnBYY2So+K1WCLAw8eMAYXqbsktH58RlL13VYSXgv3OXRARTgytKkvPGlecF9IZBTENfDeed87tTRglSlY= X-Received: by 2002:a0c:b659:: with SMTP id q25mr38369789qvf.29.1561041381292; Thu, 20 Jun 2019 07:36:21 -0700 (PDT) MIME-Version: 1.0 References: <3629aeba-61ef-2cce-4971-c3a0ed973765@rlwinm.de> In-Reply-To: <3629aeba-61ef-2cce-4971-c3a0ed973765@rlwinm.de> From: Michael Sierchio Date: Thu, 20 Jun 2019 07:35:45 -0700 Message-ID: Subject: Re: Look for an ipfw example using NPTv6 To: Jan Bramkamp Cc: "freebsd-ipfw@freebsd.org" X-Rspamd-Queue-Id: 6267B841A0 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tenebras-com.20150623.gappssmtp.com header.s=20150623 header.b=G54CbFHy X-Spamd-Result: default: False [-3.45 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; R_DKIM_ALLOW(-0.20)[tenebras-com.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ipfw@freebsd.org]; DMARC_NA(0.00)[tenebras.com]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: alt1.aspmx.l.google.com]; DKIM_TRACE(0.00)[tenebras-com.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[3.4.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; R_SPF_NA(0.00)[]; NEURAL_HAM_SHORT(-0.42)[-0.420,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE(-0.73)[ip: (1.87), ipnet: 2607:f8b0::/32(-3.14), asn: 15169(-2.31), country: US(-0.06)] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2019 14:36:24 -0000 Oh, the problem is simply that my ISP assigns me a ::/64 but there is no guarantee that it's mine for the duration. I'm in the process of securing my own IPv6 block, but was hoping for an interim solution. One that occurred to me is to use a public ::/56 that's allocated (but unused) to me in an AWS VPC. Route advertisements from them would make them unusable directly, but then NPTv6 would work. Open to any suggestions.... ;-) =E2=80=93 M On Thu, Jun 20, 2019 at 2:57 AM Jan Bramkamp wrote: > On 18.06.19 22:00, Michael Sierchio wrote: > > I'm looking for a simple firewall example using nptv6 to translate > > link-local addresses to match the prefix assigned by my ISP. I'll be > using > > stateful rules and allowing only outbound traffic. > > > > If you have a snippet, I'l be grateful. Thanks. > > > This sounds like you're trying to force IPv6 to behave like IPv4 with > longer addresses and just replaced RFC1918 addresses with link local > addresses. This isn't going to work because the differences are larger > than just the addresses length. Link local addresses are just what the > name says: they are local to the link. A link local address isn't even > unique within a host e.g. you can have fe80::1234%em0 and fe80::1234%em1 > on the same host. > > In theory you can get very close to NAT between global unicast addresses > and private addresses by configuring NPTv6 between global unicast > addresses and unique local addresses, but that would be a terrible > choice. One of the great advantages of IPv6 it removes the address > scarcity that forced NAT upon us. Each IPv6 device have as many global > IPv6 unicast addresses as required. > > Would you feel comfortable to describe the constrains shaping your > design to us? > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata From owner-freebsd-ipfw@freebsd.org Thu Jun 20 14:51:48 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6D16D15BE49F for ; Thu, 20 Jun 2019 14:51:48 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2B05384CD2 for ; Thu, 20 Jun 2019 14:51:46 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1]) by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id x5KEpg1B023627; Thu, 20 Jun 2019 07:51:42 -0700 (PDT) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: (from freebsd-rwg@localhost) by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id x5KEpgJq023626; Thu, 20 Jun 2019 07:51:42 -0700 (PDT) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" Message-Id: <201906201451.x5KEpgJq023626@gndrsh.dnsmgr.net> Subject: Re: Look for an ipfw example using NPTv6 In-Reply-To: To: Michael Sierchio Date: Thu, 20 Jun 2019 07:51:42 -0700 (PDT) CC: Jan Bramkamp , "freebsd-ipfw@freebsd.org" X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: 2B05384CD2 X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [1.91 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-0.08)[-0.079,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.58)[0.582,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[dnsmgr.net]; AUTH_NA(1.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: gndrsh.dnsmgr.net]; NEURAL_SPAM_LONG(0.48)[0.477,0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:13868, ipnet:69.59.192.0/19, country:US]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(0.04)[ip: (0.14), ipnet: 69.59.192.0/19(0.07), asn: 13868(0.05), country: US(-0.06)] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2019 14:51:48 -0000 > Oh, the problem is simply that my ISP assigns me a ::/64 but there is no > guarantee that it's mine for the duration. > > I'm in the process of securing my own IPv6 block, but was hoping for an > interim solution. > > One that occurred to me is to use a public ::/56 that's allocated (but > unused) to me in an AWS VPC. Route advertisements from them would make > them unusable directly, but then NPTv6 would work. > > Open to any suggestions.... ;-) Go to the he.net tunnel broker (https://tunnelbroker.net/), get a tunnel, get a /48, put that behind your NPTv6. Be Happy. :-) > ? M > > On Thu, Jun 20, 2019 at 2:57 AM Jan Bramkamp wrote: > > > On 18.06.19 22:00, Michael Sierchio wrote: > > > I'm looking for a simple firewall example using nptv6 to translate > > > link-local addresses to match the prefix assigned by my ISP. I'll be > > using > > > stateful rules and allowing only outbound traffic. > > > > > > If you have a snippet, I'l be grateful. Thanks. > > > > > This sounds like you're trying to force IPv6 to behave like IPv4 with > > longer addresses and just replaced RFC1918 addresses with link local > > addresses. This isn't going to work because the differences are larger > > than just the addresses length. Link local addresses are just what the > > name says: they are local to the link. A link local address isn't even > > unique within a host e.g. you can have fe80::1234%em0 and fe80::1234%em1 > > on the same host. > > > > In theory you can get very close to NAT between global unicast addresses > > and private addresses by configuring NPTv6 between global unicast > > addresses and unique local addresses, but that would be a terrible > > choice. One of the great advantages of IPv6 it removes the address > > scarcity that forced NAT upon us. Each IPv6 device have as many global > > IPv6 unicast addresses as required. > > > > Would you feel comfortable to describe the constrains shaping your > > design to us? > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > -- > > "Well," Brahm? said, "even after ten thousand explanations, a fool is no > wiser, but an intelligent person requires only two thousand five hundred." > > - The Mah?bh?rata > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > -- Rod Grimes rgrimes@freebsd.org From owner-freebsd-ipfw@freebsd.org Thu Jun 20 15:31:46 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3245615BF319 for ; Thu, 20 Jun 2019 15:31:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id BFEE086422 for ; Thu, 20 Jun 2019 15:31:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 8385E15BF318; Thu, 20 Jun 2019 15:31:45 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 71F0415BF317 for ; Thu, 20 Jun 2019 15:31:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0FAC98641D for ; Thu, 20 Jun 2019 15:31:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 57C76DD1D for ; Thu, 20 Jun 2019 15:31:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x5KFVitY006654 for ; Thu, 20 Jun 2019 15:31:44 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x5KFViFP006651 for ipfw@FreeBSD.org; Thu, 20 Jun 2019 15:31:44 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added Date: Thu, 20 Jun 2019 15:31:44 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 12.0-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: karl@denninger.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2019 15:31:46 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238694 --- Comment #8 from karl@denninger.net --- (In reply to Rodney W. Grimes from comment #7) I never took the "firewall_type" parameter as being legitimate to point at a script..... Maybe I'm a bit too pedantic but it has kept me out of trouble= in this regard! :) --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Thu Jun 20 15:43:20 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE8C415BF73A for ; Thu, 20 Jun 2019 15:43:20 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 494BE86AC5 for ; Thu, 20 Jun 2019 15:43:20 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 0A13015BF738; Thu, 20 Jun 2019 15:43:20 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EC95E15BF737 for ; Thu, 20 Jun 2019 15:43:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8C1B286AC2 for ; Thu, 20 Jun 2019 15:43:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id DDFC5DFD1 for ; Thu, 20 Jun 2019 15:43:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x5KFhIjQ032636 for ; Thu, 20 Jun 2019 15:43:18 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x5KFhIqI032635 for ipfw@FreeBSD.org; Thu, 20 Jun 2019 15:43:18 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added Date: Thu, 20 Jun 2019 15:43:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 12.0-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rgrimes@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2019 15:43:20 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238694 --- Comment #9 from Rodney W. Grimes --- (In reply to karl from comment #8) Nor have I, but it is documented, it does work, and until the changes that cause the loopback stuff to always be done it worked identically. I consid= er this a regression and it should be fixed. Do you agree? Does anyone agree? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Thu Jun 20 15:46:03 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B6E1815BF86E for ; Thu, 20 Jun 2019 15:46:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 5113486C94 for ; Thu, 20 Jun 2019 15:46:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 14DFF15BF86B; Thu, 20 Jun 2019 15:46:03 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0335315BF869 for ; Thu, 20 Jun 2019 15:46:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 90B4386C8D for ; Thu, 20 Jun 2019 15:46:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id D2344DFD8 for ; Thu, 20 Jun 2019 15:46:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x5KFk14H035708 for ; Thu, 20 Jun 2019 15:46:01 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x5KFk1R1035707 for ipfw@FreeBSD.org; Thu, 20 Jun 2019 15:46:01 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added Date: Thu, 20 Jun 2019 15:46:01 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 12.0-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: karl@denninger.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2019 15:46:03 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238694 --- Comment #10 from karl@denninger.net --- (In reply to Rodney W. Grimes from comment #9) I agree it's a regression and is easily fixed -- and thus should be. IMHO if you set up a script that doesn't provide IPv6 rules, and DOES wind = up blocking them (e.g. via the default at the end), and that stops the network from coming up (or even hangs the system waiting for it during boot) that's= on you. There are myriad non-default things you can do with the configuration that = will result in having to ^C the startup from the console or even panic the box... --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Thu Jun 20 19:52:04 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D7A715C62DA for ; Thu, 20 Jun 2019 19:52:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 9CE2D94628 for ; Thu, 20 Jun 2019 19:52:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 5D15715C62D9; Thu, 20 Jun 2019 19:52:03 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4B74715C62D8 for ; Thu, 20 Jun 2019 19:52:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DD9F694621 for ; Thu, 20 Jun 2019 19:52:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 0D7BD10243 for ; Thu, 20 Jun 2019 19:52:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x5KJq1CV083344 for ; Thu, 20 Jun 2019 19:52:01 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x5KJq1eC083343 for ipfw@FreeBSD.org; Thu, 20 Jun 2019 19:52:01 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added Date: Thu, 20 Jun 2019 19:52:02 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 12.0-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rfg-freebsd@tristatelogic.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2019 19:52:04 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238694 --- Comment #11 from Ronald F. Guilmette --- Just FYI for everyone -- As it happens, *I* have "set up a script that doesn't provide IPv6 rules, a= nd DOES wind up blocking them (e.g. via the default at the end)"... or so I believe anyway. The system in question appears to be humming along just fine. (I am typing this message on it as we speak.) P.S. I would love to find a person or two who is/are more knowledgable abo= ut firewalls than I am... which is to say just about anybody... and who would= be willing to take a peek at my current IPFW rule set and critique it for me.= =20 Understandably, I am not eager to just post the thing publicly (in case it = has gaping holes that I'm not aware of) but if anyone is willing to take a peek, please email me privately and I'll seed you a pastebin link and we can take= it from there. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Thu Jun 20 23:56:50 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6072215CB20E for ; Thu, 20 Jun 2019 23:56:50 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from echo.brtsvcs.net (echo.brtsvcs.net [IPv6:2607:f740:c::4ae]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8F0FE6D6FF for ; Thu, 20 Jun 2019 23:56:48 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from chombo.houseloki.net (chombo [IPv6:2601:1c2:1402:1770:ae1f:6bff:fe6b:9e1c]) by echo.brtsvcs.net (Postfix) with ESMTPS id 78D2B38D0C; Thu, 20 Jun 2019 16:56:39 -0700 (PDT) Received: from [IPv6:2601:1c2:1402:1770:2c9d:ea46:3f3a:77e5] (unknown [IPv6:2601:1c2:1402:1770:2c9d:ea46:3f3a:77e5]) by chombo.houseloki.net (Postfix) with ESMTPSA id E109F2AF5; Thu, 20 Jun 2019 16:56:38 -0700 (PDT) Subject: Re: Look for an ipfw example using NPTv6 To: Michael Sierchio Cc: "freebsd-ipfw@freebsd.org" References: <3629aeba-61ef-2cce-4971-c3a0ed973765@rlwinm.de> From: Mel Pilgrim Message-ID: <49eafae6-d8bc-da6c-27c6-419252dccd2e@bluerosetech.com> Date: Thu, 20 Jun 2019 16:56:37 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 8F0FE6D6FF X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of list_freebsd@bluerosetech.com designates 2607:f740:c::4ae as permitted sender) smtp.mailfrom=list_freebsd@bluerosetech.com X-Spamd-Result: default: False [-6.81 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[bluerosetech.com]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[echo.brtsvcs.net,foxtrot.brtsvcs.net]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.99)[-0.993,0]; IP_SCORE(-3.50)[ip: (-9.04), ipnet: 2607:f740:c::/48(-4.54), asn: 36236(-3.88), country: US(-0.06)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:36236, ipnet:2607:f740:c::/48, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2019 23:56:50 -0000 On 2019-06-20 7:35, Michael Sierchio wrote: > Oh, the problem is simply that my ISP assigns me a ::/64 but there is no > guarantee that it's mine for the duration. You can work around this by using link-local addresses in your local DNS horizon, and just let devices on your network autoconf out of the dynamic /64. I have a similar arrangement with Comcast, and dhcp6+rtadvd handles allocation changes flawlessly. From owner-freebsd-ipfw@freebsd.org Fri Jun 21 05:25:59 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5DF2B15D0F42 for ; Fri, 21 Jun 2019 05:25:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id EA0FF80C93 for ; Fri, 21 Jun 2019 05:25:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id ADB8915D0F41; Fri, 21 Jun 2019 05:25:58 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9C14415D0F40 for ; Fri, 21 Jun 2019 05:25:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3924B80C90 for ; Fri, 21 Jun 2019 05:25:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 7F9AB154CD for ; Fri, 21 Jun 2019 05:25:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x5L5Pvru072312 for ; Fri, 21 Jun 2019 05:25:57 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x5L5Pv1w072310 for ipfw@FreeBSD.org; Fri, 21 Jun 2019 05:25:57 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 238694] Configuring & using a customized IPFW rule set now causes additional rules to be (involuntarily) added Date: Fri, 21 Jun 2019 05:25:57 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 12.0-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rfg-freebsd@tristatelogic.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: short_desc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jun 2019 05:25:59 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238694 Ronald F. Guilmette changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Configuring & using a |Configuring & using a |customized IPFW rule set |customized IPFW rule set |now causes additional rles |now causes additional rules |to be (involuntarily) added |to be (involuntarily) added --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Fri Jun 21 11:19:06 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9840015D76F9 for ; Fri, 21 Jun 2019 11:19:06 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward106o.mail.yandex.net (forward106o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::609]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4034C8BBCD for ; Fri, 21 Jun 2019 11:19:04 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback9o.mail.yandex.net (mxback9o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::23]) by forward106o.mail.yandex.net (Yandex) with ESMTP id 870C45061AD3; Fri, 21 Jun 2019 14:19:01 +0300 (MSK) Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [2a02:6b8:0:1a2d::25]) by mxback9o.mail.yandex.net (nwsmtp/Yandex) with ESMTP id vrQBvDJ7we-J16WFxqb; Fri, 21 Jun 2019 14:19:01 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1561115941; bh=7XJ2e6Kt9sTjtLvgv6bIsTTikg8V2PgRvfAN9oEgF6c=; h=In-Reply-To:From:To:Subject:Cc:Date:References:Message-ID; b=elfDgC+QTgkqJ1t13wVeXAb9bbhAb4B3sGUhCz/tuRKHQ9QFquSIy6Wcv2mHwpuFq cncAzO59Klv7aj+czC9OpWUiwGTSvF0YfAHfvn27713kTinhWoUYwkXh4sdHloJW0j vQj/n/7LYMFojtcgGmQL7KbO1y/fiQaXWrI95dGo= Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id PmGH1uLKFH-J0xm6Dv2; Fri, 21 Jun 2019 14:19:00 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) Subject: Re: Look for an ipfw example using NPTv6 To: Michael Sierchio , Jan Bramkamp Cc: "freebsd-ipfw@freebsd.org" References: <3629aeba-61ef-2cce-4971-c3a0ed973765@rlwinm.de> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata= mQENBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB AAG0JUFuZHJleSBWLiBFbHN1a292IDxidTdjaGVyQHlhbmRleC5ydT6JATgEEwECACIFAkwB F1kCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEAHF6gQQyKF6qmYIAI6ekfm1VA4T vqankI1ISE6ku4jV7UlpIQlEbE7/8n3Zd6teJ+pGOQhN5qk8QE7utdPdbktAzi+x7LIJVzUw 4TywZLXGrkP7VKYkfg6oyCGyzITghefQeJtr2TN4hYCkzPWpylkue8MtmqfZv/6royqwTbN+ +E09FQNvTgRUYJYTeQ1qOsxNRycwvw3dr2rOfuxShbzaHBB1pBIjGrMg8fC5pd65ACH5zuFV A0CoTNGMDrEZSfBkTW604UUHFFXeCoC3dwDZRKOWJ3GmMXns65Ai5YkA63BSHEE1Qle3VBhd cG1w0CB5FBV3pB27UVnf0jEbysrDqW4qN7XMRFSWNAy5AQ0ETAEXWQEIAJ2p6l9LBoqdH/0J PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+ LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAYkBHwQYAQIACQUCTAEXWQIbDAAK CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i Message-ID: <42efa235-d4f4-2fe8-2f9c-73a8de95744a@yandex.ru> Date: Fri, 21 Jun 2019 14:16:46 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="1lbdaScRqRPAWoSmYauDKEncJIEGwjFTL" X-Rspamd-Queue-Id: 4034C8BBCD X-Spamd-Bar: ---------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yandex.ru header.s=mail header.b=elfDgC+Q; dmarc=pass (policy=none) header.from=yandex.ru; spf=pass (mx1.freebsd.org: domain of bu7cher@yandex.ru designates 2a02:6b8:0:1a2d::609 as permitted sender) smtp.mailfrom=bu7cher@yandex.ru X-Spamd-Result: default: False [-10.77 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a02:6b8:0:1a2d::/64]; FREEMAIL_FROM(0.00)[yandex.ru]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[yandex.ru:+]; DMARC_POLICY_ALLOW(-0.50)[yandex.ru,none]; MX_GOOD(-0.01)[mx.yandex.ru,mx.yandex.ru,mx.yandex.ru,mx.yandex.ru,mx.yandex.ru]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.983,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+]; FREEMAIL_ENVFROM(0.00)[yandex.ru]; ASN(0.00)[asn:13238, ipnet:2a02:6b8::/32, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[9.0.6.0.0.0.0.0.0.0.0.0.0.0.0.0.d.2.a.1.0.0.0.0.8.b.6.0.2.0.a.2.list.dnswl.org : 127.0.5.1]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[yandex.ru:s=mail]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_LOW(-1.00)[yandex.ru.dwl.dnswl.org : 127.0.5.1]; TO_MATCH_ENVRCPT_SOME(0.00)[]; IP_SCORE(-3.58)[ip: (-9.46), ipnet: 2a02:6b8::/32(-4.69), asn: 13238(-3.76), country: RU(0.01)] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jun 2019 11:19:06 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --1lbdaScRqRPAWoSmYauDKEncJIEGwjFTL Content-Type: multipart/mixed; boundary="g9Vb8MHuwx7kN86tt6fUdRgloY9ZDD7xe"; protected-headers="v1" From: "Andrey V. Elsukov" To: Michael Sierchio , Jan Bramkamp Cc: "freebsd-ipfw@freebsd.org" Message-ID: <42efa235-d4f4-2fe8-2f9c-73a8de95744a@yandex.ru> Subject: Re: Look for an ipfw example using NPTv6 References: <3629aeba-61ef-2cce-4971-c3a0ed973765@rlwinm.de> In-Reply-To: --g9Vb8MHuwx7kN86tt6fUdRgloY9ZDD7xe Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 20.06.2019 17:35, Michael Sierchio wrote: > Oh, the problem is simply that my ISP assigns me a ::/64 but there is n= o > guarantee that it's mine for the duration. >=20 > I'm in the process of securing my own IPv6 block, but was hoping for an= > interim solution. >=20 > One that occurred to me is to use a public ::/56 that's allocated (but > unused) to me in an AWS VPC. Route advertisements from them would make= > them unusable directly, but then NPTv6 would work. >=20 > Open to any suggestions.... ;-) You can use some own prefix with global IPv6 addresses in the internal network, and use NPTv6 with "ext_if external_ifname" option. It will automatically use configured on the external interface prefix. This feature is available in stable/12+. --=20 WBR, Andrey V. Elsukov --g9Vb8MHuwx7kN86tt6fUdRgloY9ZDD7xe-- --1lbdaScRqRPAWoSmYauDKEncJIEGwjFTL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl0MvJ4ACgkQAcXqBBDI oXovfQf9G0X7mYiG3lnJzNlN6kTmN4aV0g5/Hxn7rjCYnJSqDUgaJ2dS/C2wH1BC t7X7nrqPHUX2zlbKJS6Xy4ApQxXKFhhfbaeYm3yzO3Uitna8pxEG/sUt1Zz+1YLu wGnlwFSB6aqzdAj1kvFT52pOYxmrUbR+00mzYcNAkot3i6S8j/HG3znWhXsuFXyR r9Q0WiqqiD//3Hn72BWPXrtZ1NbxHX8Hnd0xTJ5SVEAvZJ5pnrv/0sZI2ZKKRGaw kYfRlVT7ayrsJRHD72FzVhvSfXHMJs+RXsIjTYPO7SUK3IfCazWmHpvH5tj0V+I8 bmzEI48jPDa9RdcFm+I6rS0MI7OLTg== =sz30 -----END PGP SIGNATURE----- --1lbdaScRqRPAWoSmYauDKEncJIEGwjFTL-- From owner-freebsd-ipfw@freebsd.org Sat Jun 22 20:29:57 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0C14215B5CD7 for ; Sat, 22 Jun 2019 20:29:57 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-qt1-x843.google.com (mail-qt1-x843.google.com [IPv6:2607:f8b0:4864:20::843]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C68038B33D for ; Sat, 22 Jun 2019 20:29:55 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-qt1-x843.google.com with SMTP id i34so10543724qta.6 for ; Sat, 22 Jun 2019 13:29:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=i1T0deYoLP9QdoP7wq3kQdpowyoHacsuoObat/GCCdE=; b=0d6XWHce0I1OJAC2d53bjFoTqOsj1tvBNnuYlE6/C/dm2qEs5jn7SWLwDItihlCyVs B8iOKFi4eJH9w20lr6Peqm3D1YbDUwPEDFVc0GQ6011FM/yTfOdYSL4ed+o7jfFFhbed RE9e5UN0hRnON7KQ/h0PIDCaL+LaMMFXXkyMYwvr4+2lIQgYwbpZnQSM+XpwJML50uO0 lcKACWS56BPJYBbwHg/iTerYhcEuuZKs3II/AFcwMBJahW0vwpkCY4gPAz4viue2Z4qU 4RVtHQtVeDOii1TJrDGnZMpi0dUWLRPmB/a6u4kg7D5SUyIjg1eWBoEYAfoB9oXi067r Jkuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=i1T0deYoLP9QdoP7wq3kQdpowyoHacsuoObat/GCCdE=; b=Xh4LN8gdery8tbLOMA9Som0MQaVmGOaLDXA5Gmk7zCWXf5T7InkY1giNKFcd1VWVot c9R3DiyGQF6/VNEz+EmC186Rt4XP7rXaVUsu0E6lwt5Am/rvEzK4L6l/esCQUFYqnk0K fihrtkwgfO05lcNPDVTSMi7b2mgADZvg73JOUAYoII0RNLkhHtE0Yw3ec2wQKC19YsK1 vMpu22o83w5PHywJR59DXJpHtQdw96rRPWgFps+TA1ZgntKWckLJcwg/3tfVq6ZPS1ml hGjrdg94z8U8XrH3UOGj/5IBaHSWGic9d6Rqu7qjtjc9zcpOOkWRxQrY1h288dhtEPdZ VIMQ== X-Gm-Message-State: APjAAAXqihT9Vhkhl3HPUZbTAm7beT9CqLnhXpuUDJt8JWbaic2l5qnj Tg43T7vRwdzqdRIFkd3WD/qIlLKOxAk05KufPf20Yh92Q/8= X-Google-Smtp-Source: APXvYqzHWCbXTFjTl5Jon/044WXmYFO0RNQB7/YbtE9Ce4COYOITADhVm7ab+9fSzJaFPp/jTE5fVC9sVtPBEVnOO1U= X-Received: by 2002:ac8:35c2:: with SMTP id l2mr66286742qtb.123.1561235394656; Sat, 22 Jun 2019 13:29:54 -0700 (PDT) MIME-Version: 1.0 References: <201906201451.x5KEpgJq023626@gndrsh.dnsmgr.net> In-Reply-To: <201906201451.x5KEpgJq023626@gndrsh.dnsmgr.net> From: Michael Sierchio Date: Sat, 22 Jun 2019 13:29:18 -0700 Message-ID: Subject: Re: Look for an ipfw example using NPTv6 To: "freebsd-ipfw@freebsd.org" X-Rspamd-Queue-Id: C68038B33D X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tenebras-com.20150623.gappssmtp.com header.s=20150623 header.b=0d6XWHce X-Spamd-Result: default: False [-3.69 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; R_DKIM_ALLOW(-0.20)[tenebras-com.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ipfw@freebsd.org]; DMARC_NA(0.00)[tenebras.com]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(-0.75)[ip: (1.79), ipnet: 2607:f8b0::/32(-3.15), asn: 15169(-2.33), country: US(-0.06)]; DKIM_TRACE(0.00)[tenebras-com.20150623.gappssmtp.com:+]; MX_GOOD(-0.01)[alt1.aspmx.l.google.com,aspmx.l.google.com,aspmx2.googlemail.com,alt2.aspmx.l.google.com,aspmx3.googlemail.com]; RCVD_IN_DNSWL_NONE(0.00)[3.4.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; NEURAL_HAM_SHORT(-0.64)[-0.636,0]; TO_DN_EQ_ADDR_ALL(0.00)[]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jun 2019 20:29:57 -0000 I'm currently running 11.2. What's the recommended dhcpd for ipv6 (or both ipv4 and ipv6)? On Thu, Jun 20, 2019 at 7:51 AM Rodney W. Grimes < freebsd-rwg@gndrsh.dnsmgr.net> wrote: > > Oh, the problem is simply that my ISP assigns me a ::/64 but there is n= o > > guarantee that it's mine for the duration. > > > > I'm in the process of securing my own IPv6 block, but was hoping for an > > interim solution. > > > > One that occurred to me is to use a public ::/56 that's allocated (but > > unused) to me in an AWS VPC. Route advertisements from them would make > > them unusable directly, but then NPTv6 would work. > > > > Open to any suggestions.... ;-) > > Go to the he.net tunnel broker (https://tunnelbroker.net/), > get a tunnel, get a /48, put that behind your NPTv6. Be Happy. :-) > > > ? M > > > > On Thu, Jun 20, 2019 at 2:57 AM Jan Bramkamp wrote: > > > > > On 18.06.19 22:00, Michael Sierchio wrote: > > > > I'm looking for a simple firewall example using nptv6 to translate > > > > link-local addresses to match the prefix assigned by my ISP. I'll = be > > > using > > > > stateful rules and allowing only outbound traffic. > > > > > > > > If you have a snippet, I'l be grateful. Thanks. > > > > > > > This sounds like you're trying to force IPv6 to behave like IPv4 with > > > longer addresses and just replaced RFC1918 addresses with link local > > > addresses. This isn't going to work because the differences are large= r > > > than just the addresses length. Link local addresses are just what th= e > > > name says: they are local to the link. A link local address isn't eve= n > > > unique within a host e.g. you can have fe80::1234%em0 and > fe80::1234%em1 > > > on the same host. > > > > > > In theory you can get very close to NAT between global unicast > addresses > > > and private addresses by configuring NPTv6 between global unicast > > > addresses and unique local addresses, but that would be a terrible > > > choice. One of the great advantages of IPv6 it removes the address > > > scarcity that forced NAT upon us. Each IPv6 device have as many globa= l > > > IPv6 unicast addresses as required. > > > > > > Would you feel comfortable to describe the constrains shaping your > > > design to us? > > > > > > _______________________________________________ > > > freebsd-ipfw@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.or= g > " > > > > > > > > > -- > > > > "Well," Brahm? said, "even after ten thousand explanations, a fool is n= o > > wiser, but an intelligent person requires only two thousand five > hundred." > > > > - The Mah?bh?rata > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > -- > Rod Grimes > rgrimes@freebsd.org > --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata