Date: Wed, 26 Aug 2009 17:15:25 GMT From: Flemming Jacobsen <fj@batmule.dk> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/138208: [PATCH] Making rc.firewall (workstation) IPv6 aware Message-ID: <200908261715.n7QHFPkj079987@www.freebsd.org> Resent-Message-ID: <200908261720.n7QHK1q1006692@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 138208
>Category: misc
>Synopsis: [PATCH] Making rc.firewall (workstation) IPv6 aware
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Wed Aug 26 17:20:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Flemming Jacobsen
>Release: 8.0-BETA2
>Organization:
>Environment:
FreeBSD heartofgold.batmule.dk 8.0-BETA2 FreeBSD 8.0-BETA2 #0: Tue Aug 18 18:27:44 CEST 2009 fj@heartofgold.batmule.dk:/usr/obj/usr/src/sys/GENERIC i386
>Description:
rc.firewall with firewall_type="WORKSTATION" does not allow IPv6 traffic.
This patch fixes that.
>How-To-Repeat:
In rc.conf, set:
firewall_enable="YES"
firewall_type="WORKSTATION"
Get IPv6 connectivity (tunnel or native).
Notice that ping6 (or any other IPv6 packet sending) fails with 'Permission denied'.
>Fix:
Apply attached patch
Patch attached with submission follows:
332c332
< ${fwcmd} add pass tcp from me to any established
---
> ${fwcmd} add pass tcp from \{ me or me6 \} to any established
335,337c335,338
< ${fwcmd} add pass tcp from me to any setup keep-state
< ${fwcmd} add pass udp from me to any keep-state
< ${fwcmd} add pass icmp from me to any keep-state
---
> ${fwcmd} add pass tcp from \{ me or me6 \} to any setup keep-state
> ${fwcmd} add pass udp from \{ me or me6 \} to any keep-state
> ${fwcmd} add pass icmp from me to any keep-state
> ${fwcmd} add pass icmp6 from me6 to any keep-state
345c346,349
< ${fwcmd} add pass icmp from any to any icmptype 8
---
> ${fwcmd} add pass icmp from any to any icmptypes 8
>
> # Allow ICMP6 pings. Not really required, but done for 4/6 consistency
> ${fwcmd} add pass icmp6 from any to any icmp6types 128
348c352,353
< ${fwcmd} add pass icmp from any to any icmptype 3,4,11
---
> ${fwcmd} add pass icmp from any to any icmptypes 3,4,11
> ${fwcmd} add pass icmp6 from any to any icmp6types 1,2,3,4,133,134,135,136
363c368
< ${fwcmd} add pass tcp from $i to me $j
---
> ${fwcmd} add pass tcp from $i to \{ me or me6 \} $j
371c376
< ${fwcmd} add pass ip from $i to me
---
> ${fwcmd} add pass ip from $i to \{ me or me6 \}
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908261715.n7QHFPkj079987>