kern/88664: ipfw stateful firewalling broken with IPv6
Jean-Yves Lefort
jylefort at FreeBSD.org
Tue Nov 8 06:50:24 PST 2005
>Number: 88664
>Category: kern
>Synopsis: ipfw stateful firewalling broken with IPv6
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Nov 08 14:50:13 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Jean-Yves Lefort
>Release: FreeBSD 6.0-RELEASE i386
>Organization:
>Environment:
System: FreeBSD jsite.lefort.net 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Mon Nov 7 19:32:08 CET 2005 jylefort at jsite.lefort.net:/usr/obj/usr/src/sys/JSITE i386
>Description:
# ipfw list
00100 allow ip4 from any to any proto esp src-ip 192.168.1.1 dst-ip 192.168.1.2 in
00200 allow ip4 from any to any proto esp src-ip 192.168.1.2 dst-ip 192.168.1.1 out
00300 allow ip6 from any to any proto ipv6-icmp
00400 allow ip6 from any to any proto tcp src-ip6 me6 out setup keep-state
00500 allow ip6 from any to any proto udp src-ip6 me6 out keep-state
00600 deny log logamount 36000 ip from any to any
65535 deny ip from any to any
# telnet www.sixxs.net 80
Trying 2001:838:1:1:210:dcff:fe20:7c7c...
^C
# tail /var/log/security | grep 2001:
Nov 8 15:39:57 jsite kernel: ipfw: 600 Deny TCP [2001:0838:0001:0001:0210:dcff:fe20:7c7c]:80 [2001:0838:0339::0002]:58128 in via ed0
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list