Unified rc.firewall ipfw me/me6 issue

David Horn dhorn2000 at gmail.com
Sun Jan 3 01:36:56 UTC 2010 

On Fri, Dec 18, 2009 at 10:45 AM, Hajimu UMEMOTO <ume at freebsd.org> wrote:
> Hi,
>
>>>>>> On Fri, 18 Dec 2009 09:12:48 -0500
>>>>>> David Horn <dhorn2000 at gmail.com> said:
>
> dhorn2000> The updated patch works, but doing a check for [ $ipv6_available -eq 0 ]
> dhorn2000> might be more appropriate than checking "net6" or "inet6" variables in these
> dhorn2000> no INET6 cases since neither net6 or inet6 variables are involved in these
> dhorn2000> statements.
>
> Thank you for testing.
> It is intentional.  If firewall_client_net_ipv6 is not set, the IPv6
> rules are not meaningful for the client type, and if
> firewall_simple_inet_ipv6 is not set, the IPv6 rules are not
> meaningful for the simple type.
>
> dhorn2000> Yes, "me" matching either ipv4/ipv6 would certainly simplify the default
> dhorn2000> rc.firewall flow.
>
> Here is my proposed patch.  With this patch, 'me' matches to both IPv4
> and IPv6, and 'me4' is added for matching to only IPv4.
>

The patch for me4/me6 works perfect in my testing to date.   I guess
we would need to convince a larger audience to get consensus on
changing the behavior for "me" token from just ipv4 to both ipv4/ipv6,
but I personally think it is the right direction.

ipfw(8) man page already shows:

me      matches any IP address configured on an interface in the
                     system.

me6     matches any IPv6 address configured on an interface in
                     the system.  The address list is evaluated at the time
                     the packet is analysed.


So, one could argue that your patch would change "me" token behavior
to make it match the documented behavior.  Of course we would need to
add an entry for me4, but that is trivial.

On a separate note, you may want to consider adding an explicit
"allow" in the default rc.firewall to support dhcpv6-client requests.
(at least in client case, but potentially workstation as well)

e.g.:

# Allow dhcpv6 client traffic -  RFC 3315
${fwcmd} add pass udp from fe80::/10 to me6 546

In normal cases, ipfw does not load the rc.firewall rule set until
potentially initial negotiation of dhcpv6 has already occurred, but
future requests (e.g. lease renewal, link up/down cases, etc.) would
be blocked without the specific allow rule.

---Thanks!

---Dave Horn

More information about the freebsd-ipfw mailing list