From owner-freebsd-net@FreeBSD.ORG Wed Feb 1 05:04:17 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DE2710681C0 for ; Wed, 1 Feb 2012 05:04:07 +0000 (UTC) (envelope-from ericx@ericx.net) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 01C028FC21 for ; Wed, 1 Feb 2012 05:04:06 +0000 (UTC) Received: by qcmt40 with SMTP id t40so592828qcm.13 for ; Tue, 31 Jan 2012 21:04:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericx.net; s=selector0; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=7NrmjJ0J49zo8QT5DAloPeYUG8G3+qnJCPMw8HVDyys=; b=gDjWAv5Khx2bIX3GuAyXDLxLqxEudHYCBzZWsSy4BNYvVQ+m7XwErkW56Za0s7Dfqu ANd6uPOvHReNo4TIOOxBssBXHep1fv76zB20mlQjySI/KULkE4CtbSf03BNiSsaADp3U pM/yNEdzMbbHtPHZMjizThqS0NfJtVyKo0O7o= Received: by 10.229.77.15 with SMTP id e15mr7930482qck.66.1328071004125; Tue, 31 Jan 2012 20:36:44 -0800 (PST) Received: from ?IPv6:2001:470:1f07:a3a:0:dead:d00d:ff02? ([2001:470:1f07:a3a:0:dead:d00d:ff02]) by mx.google.com with ESMTPS id dm8sm6946066qab.18.2012.01.31.20.36.43 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 31 Jan 2012 20:36:43 -0800 (PST) Message-ID: <4F28C168.9010206@ericx.net> Date: Tue, 31 Jan 2012 23:36:56 -0500 From: "Eric W. Bates" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20120129 Thunderbird/10.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: allowing gif thru ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 05:04:17 -0000 Seems like a silly question; but how does one allow the packets composing a gif tunnel thru ipfw? I assumed a gif was made up of ipencap (IP proto 4) packets and added rules: $fwcmd add 00140 allow ipencap from $he_tun to me $fwcmd add 00141 allow ipencap from me to $he_tun ($he_tun is an Hurricane Electric provider); but neither of them are hit; so that's wrong... tcpdump -i em_vlan5 -nnvvs0 ip proto 4 doesn't show any packets either... I also have the rule to allow icmp6 thru the gif: $fwcmd add 30132 allow icmp6 from me to any out via gif0 keep-state but that doesn't get hit either. Bottom line: I cannot ping the far end of my ipv6 tunnel. I receive the error "permission denied" ** root@olivia ** ~ ** Tue Jan 31 23:31:43 # ping6 2001:****:****:****::1 PING6(56=40+8+8 bytes) 2001:****:****:****::2 --> 2001:****:****:****::1 ping6: sendmsg: Permission denied ping6: wrote 2001:****:****:****::1 16 chars, ret=-1 ping6: sendmsg: Permission denied Am I even correct in assuming that my gif packets are being blocked? Thanks.