Date: Sun, 27 Apr 2008 14:40:02 -0700 From: "Kevin Oberman" <oberman@es.net> To: gavin@FreeBSD.org Cc: freebsd-ipfw@FreeBSD.org, freebsd-rc@FreeBSD.org Subject: Re: conf/123119: [patch] rc script for ipfw does not handle IPv6 Message-ID: <20080427214002.9F4CA45010@ptavv.es.net> In-Reply-To: Your message of "Sun, 27 Apr 2008 11:37:52 GMT." <200804271137.m3RBbqBV019624@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--==_Exmh_1209332402_73640P Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > Date: Sun, 27 Apr 2008 11:37:52 GMT > From: gavin@FreeBSD.org > > Synopsis: [patch] rc script for ipfw does not handle IPv6 > > State-Changed-From-To: open->feedback > State-Changed-By: gavin > State-Changed-When: Sun Apr 27 11:35:43 UTC 2008 > State-Changed-Why: > To submitter: as far as I can tell, starting and stopping the IPv6 > firewall is correctly handled in /etc/rc.d/ip6fw. Is there a reason > why you believe this is broken? > > http://www.freebsd.org/cgi/query-pr.cgi?pr=123119 ip6fw was added to the system back with V5.0 days (not fun days for FreeBSD) when ipfw was two separate modules, one for IPv4 and another for IPv6. makonnen wrote the required script for the IPv6 module back in 2002 and it has lived on with mostly small fixes to deal with changes in the startup scripts. Back in 2006, ipfw was re-worked to make it dual stack and it now is a single module with a single management CLI, ipfw(8) and rules for IPv4 and IPv6 can all be included in a single configuration file. It really makes no sense to have two very similar startup scripts, one with a fairly non-intuitive name, for a single function. It continues the approach that IPv6 is to be treated as something separate and not an integrated part of the OS and I see no real purpose served by the separation. Now that I have looked at ip6fw, I can see that the fix I recommended is not adequate, although it will prevent the problem I ran into when I thought I was stopping all of ipfw, only to find that I was still blocked from the system (except via the console). In my spare time (translate that to "it may take a while"), I'll look at a merge of the two rc scripts so that those with separate configuration files won't find things broken. (I suspect that there are not too many of those, but their firewalls really need to be preserved.) It looks simple on the surface, but I suspect there are a few corner cases that might be a bit tricky. I may even be able to come up with a solution to NDP (the IPv6 replacement for ARP) being blocked if the system is booted with the normal "block by default" configuration. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 --==_Exmh_1209332402_73640P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (FreeBSD) Comment: Exmh version 2.5 06/03/2002 iD8DBQFIFPKykn3rs5h7N1ERAhEyAJ49cHZzpREJuVpZZaWFPi+wPXeRdwCfZ8xF 4tKp7GL6KKu9rlTnZNiSlgg= =8Fba -----END PGP SIGNATURE----- --==_Exmh_1209332402_73640P--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080427214002.9F4CA45010>