ipv6 and ipfilter on 10.0-RELEASE

Jay Young j1010y at gmail.com
Mon Feb 24 13:58:10 UTC 2014 

I am running a 10.0-RELEASE system with the same ipfilter config that I have on many 9.2-RELEASE systems. When I look at my ipmon logs I see that both IPv4 and IPv6 packets are being blocked by the same rule @0:16. On my 9.2 systems the IPv6 rules are separate form the IPv4 rules. Do I need to change the ipfilter config in some way.? Also how to I tell which rules is being hit. The output if ipstat -ni and ipstat -6 -ni shows me the rule numbers like the 9.2 box. I only have two blocking rules @6 for ipv6 and @10 for ipv4. Also wondering why the icmp6 traffic is being blocked at all since it is allowed in the inet6 rule.

Thanks,
Jay 

Feb 24 08:02:32 xxxx ipmon[2208]: 08:02:32.654562 bge0 @0:16 b xxxx::xxxx:xxxx:xxxx:xxxx -> ff02::1 PR icmpv6 len 40 104 icmpv6 routeradvert/0 IN multicast
Feb 24 08:02:32 xxxx ipmon[2208]: 08:02:32.654562 bge0 @0:16 b xxxx::xxxx:xxxx:xxxx:xxxx -> ff02::1 PR icmpv6 len 40 104 icmpv6 routeradvert/0 IN multicast
Feb 24 08:02:33 xxxx ipmon[2208]: 08:02:33.675609 bge0 @0:16 b xxx.xxx.xxx.xxx,0 -> xxx.xxx.xxx.xxx,123 PR udp len 20 76 IN low-ttl bad broadcast
Feb 24 08:02:33 xxxx ipmon[2208]: 08:02:33.675609 bge0 @0:16 b xxx.xxx.xxx.xxx,0 -> xxx.xxx.xxx.xxx,123 PR udp len 20 76 IN low-ttl bad broadcast

#ipfstat -6 -ni
@1 pass in quick on lo0 inet6 all
@2 pass in quick inet6 proto ipv6-icmp from any to any keep state
@3 pass in quick inet6 proto tcp from xxxx:xxxx:xxxx:xxxx::/64 to any port = ssh keep state
@4 pass in quick inet6 proto tcp from any to any port = smtp keep state
@5 pass in quick inet6 proto udp from xxxx:xxxx:xxxx::/48 to any port = ntp keep state
@6 block in log first inet6 all
#sudo ipfstat -ni
@1 pass in quick on lo0 inet all
@2 pass in quick inet proto icmp from any to any keep state
@3 pass in quick inet proto igmp from any to any keep state
@4 pass in quick inet proto tcp from xxx.xxx.xxx.xxx/24 to any port = ssh keep state
@5 pass in quick inet proto tcp from xxx.xxx.xxx.xxx/32 to any port = ssh keep state
@6 pass in quick inet proto tcp from xxx.xxx.xxx.xxx/32 to any port = ssh keep state
@7 pass in quick inet proto tcp from any to any port = smtp keep state
@8 pass in quick inet proto udp from xxx.xxx.xxx.xxx/24 to any port = ntp keep state
@9 pass in quick inet proto tcp from any to any port = snpp keep state
@10 block in log first inet all

More information about the freebsd-stable mailing list