Date: Wed, 05 Oct 2005 13:47:05 +0200 From: Andreas Kohn <andreas@syndrom23.de> To: freebsd-ipfw@freebsd.org Subject: ipfw2 and ipv6 - strange things happening Message-ID: <1128512825.1052.27.camel@klamath.syndrom23.de>
next in thread | raw e-mail | index | archive | help
--=-quxBrrc/gEwp7wBKsCbI
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hi,
I'm in the process of refining my ipfw(2) rules.=20
The strangeness is that I am apparently unable to filter certain ipv6
traffic correctly:
# ipfw add 1650 pass proto 41 via rl0
01650 allow ip from any to any via rl0
# ipfw -c list 1650
01650 allow via rl0
This should have been "allow proto 41 via rl0", no?
An overview of what I'd like to accomplish:
[LAN, using IPv4 192.168.0.0/16, and IPv6]=20
|
|
vr0: 192.168.0.1
router
rl0: 212.204.44.203, gif0, stf0
|
|
[internet]
The router is the ipfw machine, currently running
FreeBSD 7.0-CURRENT #35: Sun Oct 2 14:16:27 CEST 2005
The router has a few interfaces:
rl0 - Outside interface to the cable modem
vr0 - Inside interface to the lan
gif0 - SixXS IPv6 tunnel
00050 divert 8668 via rl0
[using natd for IPv4]
00100 allow via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
[standard localhost rules]
00400 allow not via rl0
[allow any traffic floating around in the local net]
00500 deny dst-port 135,139,445 recv rl0
[kill some windows traffic from the internet early]
00600 allow tcp from any to any established
00700 allow frag
[allow anything which originated from here, and frags]
00800 allow proto icmp
[allow any kind of icmp]
00900 allow tcp from 212.204.44.203 to any setup
01000 allow tcp from 192.168.0.0/16 to any setup
[allow any ipv4 originating from here]
01100 allow tcp from any to me dst-port 22,80,8180
[allow services]
01200 deny log tcp from any to any setup
[log and drop excess traffic]
01300 allow udp from 212.204.44.203 to any dst-port 53 keep-state
01400 allow udp from 212.204.44.203 to any dst-port 123 keep-state
[dns, ntp]
01500 allow ip from any to 212.224.0.188
01600 allow ip from 212.224.0.188 to me
[SixXS tunnel, see below]
01700 reset log ip from any to any
65535 deny ip from any to any
That works, more less.=20
Rules 1500 and 1600 were originally written as
"allow proto 41 via rl0", to catch any and all encapsulated ipv6
traffic. I assumed from reading that the ipv6-in-ipv4 packets run at
least twice through the firewall, the first time as ipv4 packet, and the
second time as ipv6 packets?
212.224.0.188 is deham01.sixxs.net, my SixXS tunnel endpoint.
Now, I would like to add a 6to4 interface, and with that I can no longer
use the "workaround" of filtering by the tunnel endpoint, because the
endpoint can be potentially any and all ipv4 address in the world.
Enable verbose mode, I see=20
1700 Reset P:41 139.30.130.13 212.204.44.203 in via rl0=20
in /var/log/security, which I can associate with the ping6 I started on=20
2002:8b1e:820d::1.
I see exactly the same "Reset P:41" for the SixXS tunnel if I remove
rules 1500+1600.
But from looking at the above ipfw list output, I cannot filter these
P:41 packets by their P:41.
So for the short final questions:
a) should pass proto 41 via rl0 do what I expect? Allow encapsulated
ipv6 traffic? Is just the displaying of the rule a little
broken/misleading?
b) How would I filter 6to4 traffic so that the encapsulated packets are
passed through, and afterwards filtered as regular ipv6 traffic?=20
I would be nice if you had any pointers to things I'm missing here.
Best regards,
Andreas
--=20
<ankon> aha!!!
<camel69> du hast 1111111eineinselfelf vergessen
<dv_> die elf ist overrated.
--=-quxBrrc/gEwp7wBKsCbI
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)
iD8DBQBDQ705Yucd7Ow1ygwRAoMIAJ0T3sU5lFJMOEDrZCkWKpSJMMKfMQCferXp
qz1cxJ4i+YLfoO+Jn7gK9U0=
=R/JZ
-----END PGP SIGNATURE-----
--=-quxBrrc/gEwp7wBKsCbI--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1128512825.1052.27.camel>