misc/138208: [PATCH] Making rc.firewall (workstation) IPv6 aware

Wed Aug 26 17:20:02 UTC 2009

>Number:         138208
>Category:       misc
>Synopsis:       [PATCH] Making rc.firewall (workstation) IPv6 aware
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 26 17:20:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Flemming Jacobsen
>Release:        8.0-BETA2
>Organization:
>Environment:
FreeBSD heartofgold.batmule.dk 8.0-BETA2 FreeBSD 8.0-BETA2 #0: Tue Aug 18 18:27:44 CEST 2009     fj at heartofgold.batmule.dk:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
rc.firewall with firewall_type="WORKSTATION" does not allow IPv6 traffic.
This patch fixes that.

>How-To-Repeat:
In rc.conf, set:
  firewall_enable="YES"
  firewall_type="WORKSTATION"
Get IPv6 connectivity (tunnel or native).
Notice that ping6 (or any other IPv6 packet sending) fails with 'Permission denied'.
>Fix:
Apply attached patch

Patch attached with submission follows:

332c332
< 	${fwcmd} add pass tcp  from me to any established
---
> 	${fwcmd} add pass tcp   from \{ me or me6 \}	to any established
335,337c335,338
< 	${fwcmd} add pass tcp  from me to any setup keep-state
< 	${fwcmd} add pass udp  from me to any       keep-state
< 	${fwcmd} add pass icmp from me to any       keep-state
---
> 	${fwcmd} add pass tcp   from \{ me or me6 \}	to any setup keep-state
> 	${fwcmd} add pass udp   from \{ me or me6 \}	to any       keep-state
> 	${fwcmd} add pass icmp  from  me 		to any       keep-state
> 	${fwcmd} add pass icmp6 from  me6		to any       keep-state
345c346,349
< 	${fwcmd} add pass icmp from any to any icmptype 8
---
> 	${fwcmd} add pass icmp from any to any icmptypes 8
> 
> 	# Allow ICMP6 pings. Not really required, but done for 4/6 consistency
> 	${fwcmd} add pass icmp6 from any to any icmp6types 128
348c352,353
< 	${fwcmd} add pass icmp from any to any icmptype 3,4,11
---
> 	${fwcmd} add pass icmp from any to any icmptypes 3,4,11
> 	${fwcmd} add pass icmp6 from any to any icmp6types 1,2,3,4,133,134,135,136
363c368
< 	    ${fwcmd} add pass tcp from $i to me $j
---
> 	    ${fwcmd} add pass tcp from $i to \{ me or me6 \} $j
371c376
< 	  ${fwcmd} add pass ip from $i to me
---
> 	  ${fwcmd} add pass ip from $i to \{ me or me6 \}

>Release-Note:
>Audit-Trail:
>Unformatted: