Date: Mon, 05 Sep 2011 17:57:09 +0200 From: Willem Jan Withagen <wjw@digiware.nl> To: Ivan Voras <ivoras@freebsd.org> Cc: freebsd-net@freebsd.org, "Matthew D. Fuller" <fullermd@over-yonder.net> Subject: Re: ipfw and ipv6: "me" Message-ID: <4E64F155.2090704@digiware.nl> In-Reply-To: <CAF-QHFUo9si-OmXQtUFCb=sB-8FDpugziKD5MvgkwmhpCUV4KA@mail.gmail.com> References: <j42fpl$ps4$1@dough.gmane.org> <20110905140121.GA2135@over-yonder.net> <CAF-QHFUo9si-OmXQtUFCb=sB-8FDpugziKD5MvgkwmhpCUV4KA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5-9-2011 16:35, Ivan Voras wrote:
> On 5 September 2011 16:01, Matthew D. Fuller <fullermd@over-yonder.net> wrote:
>> On Mon, Sep 05, 2011 at 02:37:08PM +0200 I heard the voice of
>> Ivan Voras, and lo! it spake thus:
>>>
>>> There is no symmetrical "me4" option which leads me to think that
>>> "me" matches only ipv4 and "me6" only ipv6.
>>
>> I can't answer for the code, but as far as I could tell as a user
>> that's the case.
>>
>> (and so my firewall script is piled up with "{ me or me6 }"'s...
>> sigh)
>
> I thought so too, and AFAIK it used to work like that, but it might be that
> something has changed. I have pretty conclusive evidence that the handling
> has either been extended to (ipv4 or ipv6) or at least is inconsistent.
>
> I've verified this by having these two rules:
>
> 02999 17 1360 skipto 3000 log tcp from me to any setup keep-state
> 03000 66661 52129939 allow tcp from me to any setup keep-state
>
> and the logs have this:
>
> Sep 5 14:29:19 element kernel: ipfw: 2999 SkipTo 3000 TCP
> [2001:xxxx:xxxx:xxxx:xxxx:56ff:fe99:3327]:43389 [2001:4f8:fff6::22]:80 out
> via em0
> Sep 5 14:29:19 element kernel: ipfw: 2999 SkipTo 3000 TCP
> [2001:4f8:fff6::22]:80 [2001:xxxx:xxxx:xxxx:xxxx:56ff:fe99:3327]:43389 in
> via em0
> Sep 5 14:31:53 element kernel: ipfw: 2999 SkipTo 3000 TCP
> 69.147.83.34:80 xxx.xxx.xxx.xxx:38991 in via em0
>
> So "tcp from me to any..." appears to match both... which would be
> fine, but then how do we match ipv4 only?
I'm seriously living with the fact that 'me' is ipv4 AND ipv6.
Never got to fixing my firewall, but this seems to indicate that me
matches ipv6 also on 8.2....
08890 18210 1069880 allow tcp from any to me dst-port 22 setup
08990 0 0 allow tcp from any to me6 dst-port 22 setup
09090 18846 1088324 allow tcp from any to me dst-port 25 setup
09190 0 0 allow tcp from any to me6 dst-port 25 setup
09290 34 2160 allow tcp from any to me dst-port 26 setup
09390 0 0 allow tcp from any to me6 dst-port 26 setup
09490 3 180 allow tcp from any to me dst-port 53 setup
09590 0 0 allow tcp from any to me6 dst-port 53 setup
09690 623 37764 allow tcp from any to me dst-port 80 setup
09790 0 0 allow tcp from any to me6 dst-port 80 setup
09890 290 18680 allow tcp from any to me dst-port 993 setup
09990 0 0 allow tcp from any to me6 dst-port 993 setup
And note that I have ipv6 running between work and home.
So atleast some ssh port 22 stuff should otherwise have matched the
second rule.
Same goes for mail, Freebsd.org does deliver over ipv6.
postfix/smtpd[93760]: disconnect from mx2.freebsd.org[2001:4f8:fff6::35]
--WjW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E64F155.2090704>