allowing gif thru ipfw

Eric W. Bates ericx at
Wed Feb 1 14:14:03 UTC 2012

On 2/1/2012 3:06 AM, Doug Barton wrote:
> If it's a hurricane electric tunnel don't you want protocol 41?

Well, it's a straight up gif. Right this second I'm trying to suss out 
which protocol gif's use. If it's documented, I can't find it. The 
closest bit I can find on the man page is:

The behavior of gif is mainly based on RFC2893 IPv6-over-IPv4 configured 

I tried to read the pertinent parts of the RFC, but it doesn't really 
discuss "type" or "protocol". It does talk about some header size issues.

Since ipfw is obviously blocking something and I can't get a handle on 
it with tcpdump, I'm groping for an understanding of the shape of the 
gif packets.

> On 01/31/2012 22:55, Eugene Grosbein wrote:
>> 01.02.2012 11:36, Eric W. Bates пишет:
>>> Seems like a silly question; but how does one allow the packets
>>> composing a gif tunnel thru ipfw?
>>> I assumed a gif was made up of ipencap (IP proto 4) packets and added rules:
>>> $fwcmd add 00140 allow ipencap from $he_tun to me
>>> $fwcmd add 00141 allow ipencap from me to $he_tun
>>> ($he_tun is an Hurricane Electric provider); but neither of them are
>>> hit; so that's wrong...
>>> tcpdump -i em_vlan5 -nnvvs0 ip proto 4
>>> doesn't show any packets either...
>> Try:
>> tcpdump -i em_vlan5 -nnvvs0 host $he_tun and not tcp and not udp and not icmp
>> Perhaps, you gif is encrypted with ipsec? That changes ip protocol numbers.
>> Eugene Grosbein
>> _______________________________________________
>> freebsd-net at mailing list
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at"

More information about the freebsd-net mailing list