ip6fw without ipfw?

Bob Johnson fbsdlists at gmail.com
Tue Nov 6 07:14:41 PST 2007


On 11/6/07, Nikos Vassiliadis <nvass at teledomenet.gr> wrote:
> On Tuesday 06 November 2007 00:54:36 Bob Johnson wrote:
> > So is it a bug or a feature that enabling ip6fw (/etc/rc.d/ip6fw
> > start) also enables ipfw (the ipv4 version)? I didn't see it mentioned
> > in IP6FW(8).
> >
> > It sure surprised me when I was exploring IPv6 setup and I enabled
> > ip6fw without configuring the IPv4 rc.firewall.  Locked me out of the
> > remote system, because ssh won't let me log in on IPv6 (I'll post that
> > question in another message), and ipfw came up and locked me out via
> > IPv4. Forced me to go out and enjoy the nice weather yesterday instead
> > of playing with IPv6 all day...
>
> Can't replicate what you said. I am running 6.2-STABLE from June.
> I loaded the ip6fw module and ipfw is not loaded. I also ran the
> ip6fw rc script. Nothing happened regarding ipfw.
>
> root:0:/cdrom# ip6fw show
> 65535          0          0 deny ipv6 from any to any
> root:0:/cdrom# ipfw show
> ipfw: getsockopt(IP_FW_GET): Protocol not available
>
> If you can replicate the problem, please report it.
>
> Nikos
>

Sorry I forgot to mention that this is on 7.0-BETA1.

I find that it only happens the first time I enable the firewall after
rebooting. I remove the firewall_enable and ipv6_firewall_enable lines
in rc.conf, reboot the system, then put the lines back in rc.conf.
Then /etc/rc.d/ip6fw start also starts ipfw.

I'm pretty sure that when this happens, ipfw doesn't load its rules
from /etc/rc.firewall, so it is running with only the default deny
rule (I'll try to confirm that some time today, but first I need to
get some real work done this morning).

After the firewall has been enabled and disabled, re-enabling ip6fw
doesn't seem to affect ipfw.

Since this is apparently a bug, I'll file a PR. I'm going to install
7.0-BETA2 later today, I'll try again on that.

- Bob


More information about the freebsd-questions mailing list