I just got caught by a subtle problem with ip6fw. You can legally
say:
allow icmp from any to any
and ip6fw doesn't complain, but this allows IPv4 ICMP in IPv6
packets, which is pretty meaningless. This seems to be because ip6fw
uses getprotobyname to convert names into numbers. Of course, what
I intended to say was:
allow ipv6-icmp from any to any
I think it might be worth adding a warning to ip6fw if someone gives
the protocol as "icmp". If someone really wants to let ICMPv4 through
ip6fw, they could always give the numerical version of the protocol
instead.
The patch below would make giving icmp an error, but it might just
be better to syslog something?
David.
Index: ip6fw.c
===================================================================
RCS file: /FreeBSD/FreeBSD-CVS/src/sbin/ip6fw/ip6fw.c,v
retrieving revision 1.1.2.8
diff -u -r1.1.2.8 ip6fw.c
--- ip6fw.c 28 Aug 2002 05:32:03 -0000 1.1.2.8
+++ ip6fw.c 9 Jan 2003 21:49:54 -0000
@@ -959,6 +959,8 @@
rule.fw_prot = proto; av++; ac--;
} else if (!strncmp(*av,"all",strlen(*av))) {
rule.fw_prot = IPPROTO_IPV6; av++; ac--;
+ } else if (!strncmp(*av,"icmp",strlen(*av))) {
+ show_usage("allowing ipv4 icmp does not make sense.");
} else if ((pe = getprotobyname(*av)) != NULL) {
rule.fw_prot = pe->p_proto; av++; ac--;
} else {
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
