ipfw rules to support IPv6

M

manju_kalita

Hi all,

I need to add udp and tcp rules to allow traffic through 53 (for DNS server) for IPv6 addresses on FreeBSD 7.1 (amd). ipfw is not accepting udp6/tcp6. I can add udp/tcp rules with IPv6 addresses, but traffic is not coming as expected. I added ip6 rules for those IPv6 interfaces, still DNS traffic is getting denied.

Please help.

Thanks & Regards,
Manju
 
Post your rules please, so we can have a look. Obfuscate your addresses if needed.
 
I am getting the response when added (it allows all traffic, so expected)

Code: 
allow ip from any to any

I tried the each of the following rules. There is no response from the server.

1.
Code: 
allow udp from any to <server IPv6 address> dst-port 53 keep-state

2.
Code: 
allow ip6 from any to <server IPv6 address> dst-port 53 keep-state

3.
Code: 
allow ip from any to any dst-port 53 keep-state

4.
Code: 
allow ip6 from any to any dst-port 53 keep-state

Can't see any traffic when checked with ipfw -d list. It might be configuration issue.
 
manju_kalita said:
I need to add udp and tcp rules to allow traffic through 53 (for DNS server) for IPv6 addresses on FreeBSD 7.1 (amd). ipfw is not accepting udp6/tcp6. I can add udp/tcp rules with IPv6 addresses, but traffic is not coming as expected. I added ip6 rules for those IPv6 interfaces, still DNS traffic is getting denied.
Click to expand...

You may wish to ensure that ipv6-icmp is enabled between the hosts for neighbor solicitation to function properly. You will need to implicitly enable it if your rule set defaults to deny.

Though this may not have helped you in time, hopefully it will help other users that are running into IPv6+IPFW issues and landing here.
 
Probably you need also "allow ip(6) from any to any established". Did your check ipfw bytes/counts for each rule ("ipfw show")?
And at last, try to set options after the main body, so it will look like that (I check this on 8.2-STABLE, don't know is it works on 7.1):
Code: 
allow ip6 from me6 to any proto udp dst-port 53 keep-state // Allow outgoing IPv6 DNS queries
allow ip6 from me6 to any proto udp src-port 53 keep-state // Allow outgoing IPv6 DNS answers

allow ip6 from any to me6 proto udp dst-port 53 keep-state // Allow incoming IPv6 DNS queries
allow ip6 from any to me6 proto udp src-port 53 keep-state // Allow incoming IPv6 DNS answers

allow ip6 from any to any established // Allow established and related session

Don't know that kind of server do you have: is it dns server or just dns client. I wrote rules for both ;)
 
I am having somewhat related issue ... I have a vm running a mail server and using ipfw to forward ports. If I add ipv6 rules for accept established after the nat rule it is fine but if I add the tcp udp icmp me6 to any setup keep-state before the nat rule it works but after the nat rule it does not.
I also noticed I had service sysctl.conf net.inet6.ip6.fw.enable=1 but this means enable ipv6 filtering in ipfw firewall ..

Is there some setting like nat4 or nat6 to specifically stop the nat rule for messing with ipv6?

Was looking through the man page, and not intending to translate ipv4 to ipv6 since the server is not doing routing except to the internal mail server I guess.

Any help appreciated thanks!
 
sjohn said:
I am having somewhat related issue ... I have a vm running a mail server and using ipfw to forward ports. If I add ipv6 rules for accept established after the nat rule it is fine but if I add the tcp udp icmp me6 to any setup keep-state before the nat rule it works but after the nat rule it does not.
Click to expand...

This thread has been dormant for nearly twelve years. Much has changed in ipfw since then, re ipv6 in particular. Refer to ipfw(8) and /etc/rc.firewall for useful examples.

Please start a new thread for this, and do not describe your network or ruleset in words, but with configuration details and complete ruleset in code blocks. Thanks.
 
You must log in or register to reply here.
Back
Top