From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 5 11:47:11 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2239416A41F for ; Wed, 5 Oct 2005 11:47:11 +0000 (GMT) (envelope-from andreas@syndrom23.de) Received: from vs159088.vserver.de (syndrom23.de [62.75.159.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 877AE43D48 for ; Wed, 5 Oct 2005 11:47:10 +0000 (GMT) (envelope-from andreas@syndrom23.de) Received: from klamath ([212.204.44.203]) (authenticated bits=0) by vs159088.vserver.de (8.12.8/8.12.8) with ESMTP id j95Bl6ca017890 for ; Wed, 5 Oct 2005 13:47:06 +0200 From: Andreas Kohn To: freebsd-ipfw@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-quxBrrc/gEwp7wBKsCbI" Date: Wed, 05 Oct 2005 13:47:05 +0200 Message-Id: <1128512825.1052.27.camel@klamath.syndrom23.de> Mime-Version: 1.0 X-Mailer: Evolution 2.4.1 FreeBSD GNOME Team Port Subject: ipfw2 and ipv6 - strange things happening X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 11:47:11 -0000 --=-quxBrrc/gEwp7wBKsCbI Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, I'm in the process of refining my ipfw(2) rules.=20 The strangeness is that I am apparently unable to filter certain ipv6 traffic correctly: # ipfw add 1650 pass proto 41 via rl0 01650 allow ip from any to any via rl0 # ipfw -c list 1650 01650 allow via rl0 This should have been "allow proto 41 via rl0", no? An overview of what I'd like to accomplish: [LAN, using IPv4 192.168.0.0/16, and IPv6]=20 | | vr0: 192.168.0.1 router rl0: 212.204.44.203, gif0, stf0 | | [internet] The router is the ipfw machine, currently running FreeBSD 7.0-CURRENT #35: Sun Oct 2 14:16:27 CEST 2005 The router has a few interfaces: rl0 - Outside interface to the cable modem vr0 - Inside interface to the lan gif0 - SixXS IPv6 tunnel 00050 divert 8668 via rl0 [using natd for IPv4] 00100 allow via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any [standard localhost rules] 00400 allow not via rl0 [allow any traffic floating around in the local net] 00500 deny dst-port 135,139,445 recv rl0 [kill some windows traffic from the internet early] 00600 allow tcp from any to any established 00700 allow frag [allow anything which originated from here, and frags] 00800 allow proto icmp [allow any kind of icmp] 00900 allow tcp from 212.204.44.203 to any setup 01000 allow tcp from 192.168.0.0/16 to any setup [allow any ipv4 originating from here] 01100 allow tcp from any to me dst-port 22,80,8180 [allow services] 01200 deny log tcp from any to any setup [log and drop excess traffic] 01300 allow udp from 212.204.44.203 to any dst-port 53 keep-state 01400 allow udp from 212.204.44.203 to any dst-port 123 keep-state [dns, ntp] 01500 allow ip from any to 212.224.0.188 01600 allow ip from 212.224.0.188 to me [SixXS tunnel, see below] 01700 reset log ip from any to any 65535 deny ip from any to any That works, more less.=20 Rules 1500 and 1600 were originally written as "allow proto 41 via rl0", to catch any and all encapsulated ipv6 traffic. I assumed from reading that the ipv6-in-ipv4 packets run at least twice through the firewall, the first time as ipv4 packet, and the second time as ipv6 packets? 212.224.0.188 is deham01.sixxs.net, my SixXS tunnel endpoint. Now, I would like to add a 6to4 interface, and with that I can no longer use the "workaround" of filtering by the tunnel endpoint, because the endpoint can be potentially any and all ipv4 address in the world. Enable verbose mode, I see=20 1700 Reset P:41 139.30.130.13 212.204.44.203 in via rl0=20 in /var/log/security, which I can associate with the ping6 I started on=20 2002:8b1e:820d::1. I see exactly the same "Reset P:41" for the SixXS tunnel if I remove rules 1500+1600. But from looking at the above ipfw list output, I cannot filter these P:41 packets by their P:41. So for the short final questions: a) should pass proto 41 via rl0 do what I expect? Allow encapsulated ipv6 traffic? Is just the displaying of the rule a little broken/misleading? b) How would I filter 6to4 traffic so that the encapsulated packets are passed through, and afterwards filtered as regular ipv6 traffic?=20 I would be nice if you had any pointers to things I'm missing here. Best regards, Andreas --=20 aha!!! du hast 1111111eineinselfelf vergessen die elf ist overrated. --=-quxBrrc/gEwp7wBKsCbI Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBDQ705Yucd7Ow1ygwRAoMIAJ0T3sU5lFJMOEDrZCkWKpSJMMKfMQCferXp qz1cxJ4i+YLfoO+Jn7gK9U0= =R/JZ -----END PGP SIGNATURE----- --=-quxBrrc/gEwp7wBKsCbI--