On 11/23/2009 09:55 AM, John Baldwin wrote:
> On Monday 23 November 2009 12:27:23 pm Hajimu UMEMOTO wrote:
>> Hi,
>>
>>>>>>> On Mon, 23 Nov 2009 10:56:14 -0500
>>>>>>> John Baldwin <j...@freebsd.org> said:
>> jhb> # For services permitted below.
>> jhb> ${fwcmd} add pass tcp from me to any established
>> jhb> + if [ $ipv6_available -eq 0 ]; then
>> jhb> + ${fwcmd} add pass ip6 from any to any proto tcp
>> established
>> jhb> + fi
>>
>> jhb> I think this extra rule here isn't needed at all as the first rule
>> should
>> jhb> already match all of those packets.
>>
>> WORKSTATION type rule is fully dynamic. However, I saw it doesn't
>> work for IPv6 as expected. SSH connection stalls after some period.
>> I suspect keepalive timer doesn't work well for IPv6.
>> So, I changed to use traditional setup/established rule for TCP/IPv6.
>> Further, 'me' doesn't match to IPv6 address.
>
> I had missed the me vs any. It is true that the equivalent rule would use
> me6. I would rather figure out the IPv6 bug so that TCP is treated the
> same for both protocols instead of having a weaker firewall for IPv6 than
> IPV4.There is a bug in ipfw send_pkt() that prevents ipfw_tick() from functioning for IPv6. See PR kern/117234. -- Benjamin Lee http://www.b1c1l1.com/
signature.asc
Description: OpenPGP digital signature
