IPFW Incoming ICMPv6 Echo Requests dropped

Hello, first time poster.
Set up a small FreeBSD 10.3-RELEASE-p7 #0 VMWare VPS with a hosting company.

My specs are as follows:
Code:
Disk:   20 MB
RAM:  1024 MIB
CPUs: 2
IPv4:  2 address
IPv6:  /64 HE tunnel
IPv6 works fine. I can access and ping any IPv6 address, but incoming pings are dropped.
The IPFW firewall works fine as well, except that when it is running I cannot receive incoming echo requests.
I have used a very simple IPFW script on two other VPS setups and pinging either way worked fine. For whatever reason, it's not working with this VPS.

Code:
xxxx ~ # ipfw show
00010    0       0 allow ip from any to any via lo0
00020    0       0 deny ip from any to 127.0.0.0/8
00030    0       0 deny ip from 127.0.0.0/8 to any
00040    0       0 deny tcp from any to any frag
00050    0       0 check-state
00060  655  146991 allow tcp from any to any established
00070  494   37368 allow ip from any to any out keep-state
00080    2      80 allow icmp from any to any
00085    0       0 allow ipv6-icmp from me to any via gif0 ip6 icmp6types 128,129
00090    0       0 allow ipv6-icmp from any to me via gif0 ip6 icmp6types 128,129
00200    1      60 allow tcp from any to any dst-port 44379 in
00210    0       0 allow tcp from any to any dst-port 44379 out
00400 8341 2515998 deny udp from any to any in
00500  508   25020 deny log logamount 5 ip from any to any
65535   17    1959 deny ip from any to any
xxxx ~ #
Any ideas?
Thank you.
 
Code:
00070  494   37368 allow ip from any to any out keep-state

try to add

Code:
00071 allow ip6 from any to any out keep-state
00090 allow ipv6-icmp from any to me in via gif0 ip6 icmp6types 128,129 keep-state
 
Good day and thank you, ruthr.

Added your suggested rules, no joy:
Code:
00070 16  1432 allow ip from any to any out keep-state
00071  0     0 allow ip6 from any to any out keep-state
00080  0     0 allow icmp from any to any
00085  0     0 allow ipv6-icmp from me to any via gif0 ip6 icmp6types 128,129
00090  0     0 allow ipv6-icmp from any to me via gif0 ip6 icmp6types 128,129 keep-state
Not sure what's wrong, my original script worked fine on two prior instances.
 
Turns out that not just incoming icmp6, but all unsolicited incoming IPv6 traffic is dropped.

When I set 'firewall_enable to '"NO"' and reboot the instance, I can ping all IPv6 addresses from a remote box. However, when it is set to '"YES"', all unsolicited incoming IPv6 traffic is dropped.

To test it, I added an IPv6 port to 'sshd_config' and restarted the service. As expected, I could not connect to the IPv6 port.

I even changed 'me' to 'me6', but it didn't make a difference:
Code:
$IPFW 85 allow icmp6 from me6 to any via gif0 icmp6types 128,129
$IPFW 90 allow icmp6 from any to me6 via gif0 icmp6types 128,129 keep-state
Don't really know what to do next (other than to try pf).
 
Can u try this simple rules :

Code:
0001 check-state #to check dynamic rules table

0002 allow all from any to any out keep-state

0003 allow ip6 from any to any out keep-state

0004 allow ipv6-icmp from any to any keep-state
 
Good day and thank you, ruthr.

Tried your simple rules, still no joy.

I have another VPS instance with native IPv6 on which my original script works as intended. My original script is the same script as the one that doesn't work on the HE tunnel VPS instance.

Apparently, there is something about an IPv4 to IPv6 tunnel that interferes with how IPFW deals with incoming IPv6 traffic. I'll take a look at the HE forums to try and find anything that may have been reported similar to my issue.

By the way, by accident, I discovered that if I ping6 an external box from the offending VPS instance, I am able to ping6 in successfully from the external box -- but only for a few seconds after pinging out.
 
Back
Top