On 5 September 2011 16:01, Matthew D. Fuller <fulle...@over-yonder.net> wrote:
> On Mon, Sep 05, 2011 at 02:37:08PM +0200 I heard the voice of
> Ivan Voras, and lo! it spake thus:
>>
>> There is no symmetrical "me4" option which leads me to think that
>> "me" matches only ipv4 and "me6" only ipv6.
>
> I can't answer for the code, but as far as I could tell as a user
> that's the case.
>
> (and so my firewall script is piled up with "{ me or me6 }"'s...
> sigh)I thought so too, and AFAIK it used to work like that, but it might be that something has changed. I have pretty conclusive evidence that the handling has either been extended to (ipv4 or ipv6) or at least is inconsistent. I've verified this by having these two rules: 02999 17 1360 skipto 3000 log tcp from me to any setup keep-state 03000 66661 52129939 allow tcp from me to any setup keep-state and the logs have this: Sep 5 14:29:19 element kernel: ipfw: 2999 SkipTo 3000 TCP [2001:xxxx:xxxx:xxxx:xxxx:56ff:fe99:3327]:43389 [2001:4f8:fff6::22]:80 out via em0 Sep 5 14:29:19 element kernel: ipfw: 2999 SkipTo 3000 TCP [2001:4f8:fff6::22]:80 [2001:xxxx:xxxx:xxxx:xxxx:56ff:fe99:3327]:43389 in via em0 Sep 5 14:31:53 element kernel: ipfw: 2999 SkipTo 3000 TCP 69.147.83.34:80 xxx.xxx.xxx.xxx:38991 in via em0 So "tcp from me to any..." appears to match both... which would be fine, but then how do we match ipv4 only? _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
