FBSD 6.0 ipfw weirdness with ssh x-forwarding
Brian Candler
B.Candler at pobox.com
Sun Dec 11 05:46:25 PST 2005
On Sat, Dec 10, 2005 at 10:43:16AM -0500, Eric W. Bates wrote:
> Dec 9 23:15:33 <security.info> gertrude kernel: ipfw: 510 Deny TCP
> [::0001]:6010 [::0001]:61310 out via lo0
Note that ::0001 is the IPv6 "localhost" address (equivalent to IPv4
127.0.0.1)
> I was hoping someone smarter than I could point me to any documentation
> about the change.
>
> Has ipfw recently split me and me6 (I never noticed the latter before
> because I'm not using IPv6 yet [shame])?
Looking on a 5.4-STABLE system, the ipfw(8) manpage mentions 'me' but not
'me6'. Looking on the web, at
http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=8&manpath=FreeBSD+6.0-RELEASE+and+Ports&format=html
I see 'me' and 'me6' options. So yes, it looks like it has been split.
> Is this a change in the way the 6.0 kernel handles lo0 traffic in general?
>
> Is this a change in ssh forwarding? Or has there always been IPv6 traffic?
IPv6 support has been around in FreeBSD for a long time. If this causes you
pain (as it does for me), then I recommend you remove 'options INET6' from
your kernel config and rebuild the kernel. Other things to look for are your
hosts file, which may have
::1 localhost
127.0.0.1 localhost
in which case you can swap them, or comment out the IPv6 ::1 one altogether
(otherwise IPv6 is preferred over IPv4 when using localhost). Also, a lot of
ports tend to build with IPV6 support unless you explicitly disable it. I
think there's a setting you can put in /etc/make.conf but I can't remember
offhand what it is.
Regards,
Brian.
More information about the freebsd-net
mailing list