IPF, IPv6 and a bridge
Jeroen Ubbink
crasp at blackbyte.nl
Fri Jan 30 00:38:34 PST 2004
Hello,
I have built a VPN with some friends, we have all have a tap-device that
handles data for the VPN. The tap-device is bridged to our local network
interfaces. e.g.:
net.link.ether.bridge_cfg: tap1,fxp0
net.link.ether.bridge: 1
net.link.ether.bridge_ipf: 1
Now some of my friends also have an IPv6 tunnel set up, just like me and
are running rtadvd to give their internal network IPv6 addresses and
routes. The point is that it goes across the entire VPN. So the hosts in my
network get routes and IP's out of the prefixes of friends, which in most
cases makes traffic with the outside world through IPv6 impossible. Now
what i want my IPF to do is to block all the router advertisements coming
in on tap1. Easier done than said. A simple rule:
block in quick on tap1 all.
Load it with ipf -6 and it works as a IPv6 rule. This works for the machine
with the TAP device in it. It doesn't get an IP or a route from anybody
else anymore, but it doesn't prevent the router advertisements from going to
the rest of my hosts. I even tried to block ipv6-icmp and load it with the
IPv4 rules, still the same. IPv4 however seems to block like a charm,
blocking DHCP to prevent other hosts from getting an IP of my network or
making sure my network doesn't get IP's from other networks seems to work
fine. I'm lost. ipfw doesn't seem to block router advertisements on a
bridge either. Is this just a problem with both those firewall tools or is
it a problem in FreeBSD?
thanks in advance,
Jeroen Ubbink
More information about the freebsd-stable
mailing list