From owner-freebsd-bugs@FreeBSD.ORG Wed Aug 26 17:20:02 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C61F1065697 for ; Wed, 26 Aug 2009 17:20:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EE5228FC20 for ; Wed, 26 Aug 2009 17:20:01 +0000 (UTC) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n7QHK1ag006693 for ; Wed, 26 Aug 2009 17:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n7QHK1q1006692; Wed, 26 Aug 2009 17:20:01 GMT (envelope-from gnats) Resent-Date: Wed, 26 Aug 2009 17:20:01 GMT Resent-Message-Id: <200908261720.n7QHK1q1006692@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Flemming Jacobsen Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5CA86106568C for ; Wed, 26 Aug 2009 17:15:26 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 4C4B18FC1C for ; Wed, 26 Aug 2009 17:15:26 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n7QHFP6O079988 for ; Wed, 26 Aug 2009 17:15:25 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n7QHFPkj079987; Wed, 26 Aug 2009 17:15:25 GMT (envelope-from nobody) Message-Id: <200908261715.n7QHFPkj079987@www.freebsd.org> Date: Wed, 26 Aug 2009 17:15:25 GMT From: Flemming Jacobsen To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: misc/138208: [PATCH] Making rc.firewall (workstation) IPv6 aware X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Aug 2009 17:20:02 -0000 >Number: 138208 >Category: misc >Synopsis: [PATCH] Making rc.firewall (workstation) IPv6 aware >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Wed Aug 26 17:20:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Flemming Jacobsen >Release: 8.0-BETA2 >Organization: >Environment: FreeBSD heartofgold.batmule.dk 8.0-BETA2 FreeBSD 8.0-BETA2 #0: Tue Aug 18 18:27:44 CEST 2009 fj@heartofgold.batmule.dk:/usr/obj/usr/src/sys/GENERIC i386 >Description: rc.firewall with firewall_type="WORKSTATION" does not allow IPv6 traffic. This patch fixes that. >How-To-Repeat: In rc.conf, set: firewall_enable="YES" firewall_type="WORKSTATION" Get IPv6 connectivity (tunnel or native). Notice that ping6 (or any other IPv6 packet sending) fails with 'Permission denied'. >Fix: Apply attached patch Patch attached with submission follows: 332c332 < ${fwcmd} add pass tcp from me to any established --- > ${fwcmd} add pass tcp from \{ me or me6 \} to any established 335,337c335,338 < ${fwcmd} add pass tcp from me to any setup keep-state < ${fwcmd} add pass udp from me to any keep-state < ${fwcmd} add pass icmp from me to any keep-state --- > ${fwcmd} add pass tcp from \{ me or me6 \} to any setup keep-state > ${fwcmd} add pass udp from \{ me or me6 \} to any keep-state > ${fwcmd} add pass icmp from me to any keep-state > ${fwcmd} add pass icmp6 from me6 to any keep-state 345c346,349 < ${fwcmd} add pass icmp from any to any icmptype 8 --- > ${fwcmd} add pass icmp from any to any icmptypes 8 > > # Allow ICMP6 pings. Not really required, but done for 4/6 consistency > ${fwcmd} add pass icmp6 from any to any icmp6types 128 348c352,353 < ${fwcmd} add pass icmp from any to any icmptype 3,4,11 --- > ${fwcmd} add pass icmp from any to any icmptypes 3,4,11 > ${fwcmd} add pass icmp6 from any to any icmp6types 1,2,3,4,133,134,135,136 363c368 < ${fwcmd} add pass tcp from $i to me $j --- > ${fwcmd} add pass tcp from $i to \{ me or me6 \} $j 371c376 < ${fwcmd} add pass ip from $i to me --- > ${fwcmd} add pass ip from $i to \{ me or me6 \} >Release-Note: >Audit-Trail: >Unformatted: