Hi,
>>>>> On Tue, 31 Jan 2012 23:36:56 -0500
>>>>> "Eric W. Bates" <er...@ericx.net> said:
ericx> Seems like a silly question; but how does one allow the packets
ericx> composing a gif tunnel thru ipfw?
ericx> I assumed a gif was made up of ipencap (IP proto 4) packets and added
rules:
ericx> $fwcmd add 00140 allow ipencap from $he_tun to me
ericx> $fwcmd add 00141 allow ipencap from me to $he_tun
ericx> ($he_tun is an Hurricane Electric provider); but neither of them are
ericx> hit; so that's wrong...
ericx> tcpdump -i em_vlan5 -nnvvs0 ip proto 4
ericx> doesn't show any packets either...
ericx> I also have the rule to allow icmp6 thru the gif:
ericx> $fwcmd add 30132 allow icmp6 from me to any out via gif0 keep-state
ericx> but that doesn't get hit either. Bottom line: I cannot ping the far
ericx> end of my ipv6 tunnel. I receive the error "permission denied"
ericx> ** root@olivia ** ~ ** Tue Jan 31 23:31:43
ericx> # ping6 2001:****:****:****::1
ericx> PING6(56=40+8+8 bytes) 2001:****:****:****::2 --> 2001:****:****:****::1
ericx> ping6: sendmsg: Permission denied
ericx> ping6: wrote 2001:****:****:****::1 16 chars, ret=-1
ericx> ping6: sendmsg: Permission denied
ericx> Am I even correct in assuming that my gif packets are being blocked?
Are you trying to pass an IPv6 over IPv4 tunnel? If so,
$fwcmd add 00140 allow ip4 from $he_tun to me proto ipv6
$fwcmd add 00141 allow ip4 from me to $he_tun proto ipv6
should work for you.
Sincerely,
--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
u...@mahoroba.org ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
