Date: Wed, 01 Feb 2012 09:12:09 -0500 From: "Eric W. Bates" <ericx@ericx.net> To: Doug Barton <dougb@FreeBSD.org> Cc: freebsd-net@freebsd.org, Eugene Grosbein <eugen@grosbein.pp.ru> Subject: Re: allowing gif thru ipfw Message-ID: <4F294839.6060803@ericx.net> In-Reply-To: <4F28F284.7070301@FreeBSD.org> References: <4F28C168.9010206@ericx.net> <4F28E1C7.4060209@grosbein.pp.ru> <4F28F284.7070301@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/1/2012 3:06 AM, Doug Barton wrote: > If it's a hurricane electric tunnel don't you want protocol 41? Well, it's a straight up gif. Right this second I'm trying to suss out which protocol gif's use. If it's documented, I can't find it. The closest bit I can find on the man page is: The behavior of gif is mainly based on RFC2893 IPv6-over-IPv4 configured tunnel. I tried to read the pertinent parts of the RFC, but it doesn't really discuss "type" or "protocol". It does talk about some header size issues. Since ipfw is obviously blocking something and I can't get a handle on it with tcpdump, I'm groping for an understanding of the shape of the gif packets. > On 01/31/2012 22:55, Eugene Grosbein wrote: >> 01.02.2012 11:36, Eric W. Bates пишет: >>> Seems like a silly question; but how does one allow the packets >>> composing a gif tunnel thru ipfw? >>> >>> I assumed a gif was made up of ipencap (IP proto 4) packets and added rules: >>> >>> $fwcmd add 00140 allow ipencap from $he_tun to me >>> $fwcmd add 00141 allow ipencap from me to $he_tun >>> >>> ($he_tun is an Hurricane Electric provider); but neither of them are >>> hit; so that's wrong... >>> >>> tcpdump -i em_vlan5 -nnvvs0 ip proto 4 >>> >>> doesn't show any packets either... >> >> Try: >> >> tcpdump -i em_vlan5 -nnvvs0 host $he_tun and not tcp and not udp and not icmp >> >> Perhaps, you gif is encrypted with ipsec? That changes ip protocol numbers. >> >> Eugene Grosbein >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F294839.6060803>