Date: Thu, 17 Dec 2009 17:36:00 +0900 From: Hajimu UMEMOTO <ume@freebsd.org> To: David Horn <dhorn2000@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: Unified rc.firewall ipfw me/me6 issue Message-ID: <ygek4wmyp3j.wl%ume@mahoroba.org> In-Reply-To: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Multipart_Thu_Dec_17_17:36:00_2009-1
Content-Type: text/plain; charset=US-ASCII
Hi,
>>>>> On Thu, 17 Dec 2009 02:20:47 -0500
>>>>> David Horn <dhorn2000@gmail.com> said:
dhorn2000> Thanks for working on rc.firewall, as the old scenario of dualing
dhorn2000> rc.firewall/rc.firewall6 was not easily used in the default configurations
dhorn2000> when running dual stack. The new rc.firewall has some very decent sane
dhorn2000> defaults. My testing so far as been concentrated on firewall_type="client",
dhorn2000> dual stack v4/v6 with SLAAC for IPv6, and DHCP for IPv4. I will try some of
dhorn2000> the IPv6 tunnel scenarios later.
There is no rule to pass the IPv6 over IPv4 tunnel. You need to add
it by yourself for now. I thought it may better having it for our
default rule. However, I didn't come up with suitable default. So, I
didn't add it.
dhorn2000> I ran some tests against the now committed to -current /etc/rc.firewall, and
dhorn2000> think have found an issue. In every line that has the "me" token without
dhorn2000> the equivalent "me6" token, the command is only taking affect for ipv4.
Yes, thank you for the report. It's my mistake. The default rule
should have same behavior as possible between an IPv4 and an IPv6.
dhorn2000> ${fwcmd} add pass udp from { me or me6 } to any 53 keep-state
Your proposed patch is simple enough, thus I like it. However, we need
to consider the environment where the kernel doesn't have an IPv6
support. So, we cannot just use '{ me or me6 }', here.
How about the attached patch, instead? Sorry, but I have no test
environment for now. So, I don't test it by my self, yet. I'll test
it later.
dhorn2000> The same issue exists for several other entries as well. (possible diff
dhorn2000> attached) The other option is to modify ipfw to actually have three
dhorn2000> different "me" tokens (me/me4/me6) where the new "me" token would match both
dhorn2000> ipv4 and ipv6 local interface addresses. Currently "me" matches only ipv4
dhorn2000> addresses on my amd64 -current box.
I think 'me' matches both an IPv4 and an IPv6 is better.
dhorn2000> P.S., might also be nice to have an UPDATING entry for unified rc.firewall
Yes, it should be. I'll add an UPDATING entry later.
Sincerely,
--Multipart_Thu_Dec_17_17:36:00_2009-1
Content-Type: text/x-patch; type=patch; charset=US-ASCII
Content-Disposition: attachment; filename="rc.firewall-me6.diff"
Content-Transfer-Encoding: 7bit
Index: etc/rc.firewall
diff -u etc/rc.firewall.orig etc/rc.firewall
--- etc/rc.firewall.orig 2009-12-03 00:05:26.000000000 +0900
+++ etc/rc.firewall 2009-12-17 17:04:40.000000000 +0900
@@ -230,18 +230,30 @@
# Allow setup of incoming email
${fwcmd} add pass tcp from any to me 25 setup
+ if [ -n "$net6" ]; then
+ ${fwcmd} add pass tcp from any to me6 25 setup
+ fi
# Allow setup of outgoing TCP connections only
${fwcmd} add pass tcp from me to any setup
+ if [ -n "$net6" ]; then
+ ${fwcmd} add pass tcp from me6 to any setup
+ fi
# Disallow setup of all other TCP connections
${fwcmd} add deny tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from me to any 53 keep-state
+ if [ -n "$net6" ]; then
+ ${fwcmd} add pass udp from me6 to any 53 keep-state
+ fi
# Allow NTP queries out in the world
${fwcmd} add pass udp from me to any 123 keep-state
+ if [ -n "$net6" ]; then
+ ${fwcmd} add pass udp from me6 to any 123 keep-state
+ fi
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
@@ -388,14 +400,25 @@
# Allow setup of incoming email
${fwcmd} add pass tcp from any to me 25 setup
+ if [ -n "$inet6" ]; then
+ ${fwcmd} add pass tcp from any to me6 25 setup
+ fi
# Allow access to our DNS
${fwcmd} add pass tcp from any to me 53 setup
${fwcmd} add pass udp from any to me 53
${fwcmd} add pass udp from me 53 to any
+ if [ -n "$inet6" ]; then
+ ${fwcmd} add pass tcp from any to me6 53 setup
+ ${fwcmd} add pass udp from any to me6 53
+ ${fwcmd} add pass udp from me6 53 to any
+ fi
# Allow access to our WWW
${fwcmd} add pass tcp from any to me 80 setup
+ if [ -n "$inet6" ]; then
+ ${fwcmd} add pass tcp from any to me6 80 setup
+ fi
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto tcp
@@ -409,9 +432,15 @@
# Allow DNS queries out in the world
${fwcmd} add pass udp from me to any 53 keep-state
+ if [ -n "$inet6" ]; then
+ ${fwcmd} add pass udp from me6 to any 53 keep-state
+ fi
# Allow NTP queries out in the world
${fwcmd} add pass udp from me to any 123 keep-state
+ if [ -n "$inet6" ]; then
+ ${fwcmd} add pass udp from me6 to any 123 keep-state
+ fi
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
--Multipart_Thu_Dec_17_17:36:00_2009-1
Content-Type: text/plain; charset=US-ASCII
--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/
--Multipart_Thu_Dec_17_17:36:00_2009-1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ygek4wmyp3j.wl%ume>