On 11/23/2009 09:55 AM, John Baldwin wrote: > On Monday 23 November 2009 12:27:23 pm Hajimu UMEMOTO wrote: >> Hi, >> >>>>>>> On Mon, 23 Nov 2009 10:56:14 -0500 >>>>>>> John Baldwin <jhb_at_freebsd.org> said: >> jhb> # For services permitted below. >> jhb> ${fwcmd} add pass tcp from me to any established >> jhb> + if [ $ipv6_available -eq 0 ]; then >> jhb> + ${fwcmd} add pass ip6 from any to any proto tcp established >> jhb> + fi >> >> jhb> I think this extra rule here isn't needed at all as the first rule should >> jhb> already match all of those packets. >> >> WORKSTATION type rule is fully dynamic. However, I saw it doesn't >> work for IPv6 as expected. SSH connection stalls after some period. >> I suspect keepalive timer doesn't work well for IPv6. >> So, I changed to use traditional setup/established rule for TCP/IPv6. >> Further, 'me' doesn't match to IPv6 address. > > I had missed the me vs any. It is true that the equivalent rule would use > me6. I would rather figure out the IPv6 bug so that TCP is treated the > same for both protocols instead of having a weaker firewall for IPv6 than > IPV4. There is a bug in ipfw send_pkt() that prevents ipfw_tick() from functioning for IPv6. See PR kern/117234. -- Benjamin Lee http://www.b1c1l1.com/
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:58 UTC