Re: [CFR] unified rc.firewall

> From: John Baldwin <jhb_at_freebsd.org>
> Date: Mon, 23 Nov 2009 12:55:25 -0500
> Sender: owner-freebsd-current_at_freebsd.org
> 
> On Monday 23 November 2009 12:27:23 pm Hajimu UMEMOTO wrote:
> > Hi,
> > 
> > >>>>> On Mon, 23 Nov 2009 10:56:14 -0500
> > >>>>> John Baldwin <jhb_at_freebsd.org> said:
> > 
> > jhb> _at__at_ -178,6 +212,16 _at__at_
> > jhb>         # Allow any traffic to or from my own net.
> > jhb>         ${fwcmd} add pass all from me to ${net}
> > jhb>         ${fwcmd} add pass all from ${net} to me
> > jhb> +       if [ -n "$net6" ]; then
> > jhb> +               ${fwcmd} add pass ip6 from me6 to ${net6}
> > jhb> +               ${fwcmd} add pass ip6 from ${net6} to me6
> > jhb> +       fi
> > jhb> +
> > jhb> +       if [ -n "$net6" ]; then
> > jhb> +               # Allow any link-local multicast traffic
> > jhb> +               ${fwcmd} add pass ip6 from fe80::/10 to ff02::/16
> > jhb> +               ${fwcmd} add pass ip6 from ${net6} to ff02::/16
> > jhb> +       fi
> > 
> > jhb> Any reason to not use 'all' here rather than 'ip6' to match the earlier IPv4
> > jhb> rules?
> > 
> > Thank you for the review.
> > The rule is only applicable for IPv6.  Rather, I prefer to use 'ip4'
> > explicitly over 'all' or 'ip' here.  However, changing 'all' to 'ip4'
> > makes the diff complex.  So, I keep 'all' as is.
> 
> Hmm, however, using 'all' will work, and while in this case the typing is the
> same I find it easier to read 'add pass tcp <...>' vs
> 'add pass ip <...> proto tcp'.  I do think they should be consistent
> regardless.
> 
> > jhb>         # For services permitted below.
> > jhb>         ${fwcmd} add pass tcp  from me to any established
> > jhb> +       if [ $ipv6_available -eq 0 ]; then
> > jhb> +               ${fwcmd} add pass ip6 from any to any proto tcp established
> > jhb> +       fi
> > 
> > jhb> I think this extra rule here isn't needed at all as the first rule should
> > jhb> already match all of those packets.
> > 
> > WORKSTATION type rule is fully dynamic.  However, I saw it doesn't
> > work for IPv6 as expected.  SSH connection stalls after some period.
> > I suspect keepalive timer doesn't work well for IPv6.
> > So, I changed to use traditional setup/established rule for TCP/IPv6.
> > Further, 'me' doesn't match to IPv6 address.

FWIW, I have been seeing this since the last update of OpenSSH. I never
saw it until then. It's a real pain and I'd love to see it fixed. Right
now I'm forced to use IPv4 for the jobs that I tunnel in SSH.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman_at_es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751