'ipfstat not displaying ipv6 icmp rules?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    ipfstat not displaying ipv6 icmp rules?
From:       prabhakar lakhera <prabhakar.lakhera () gmail ! com>
Date:       2011-04-26 23:18:48
Message-ID: 25236_1303860392_4DB754A8_25236_10322_1_BANLkTimmO-GPW7Qa7G7-3W71HgpaS9e-Mw () mail ! gmail ! com
[Download RAW message or body]

Hi,

I have ipf version 4.1.28 on my system (FreeBSD7.2). I did search the
archive and found something similar:

http://marc.info/?l=ipfilter&m=101246930105753&w=2

In the rc.conf file I have ipv6_ipfilter_rules="/etc/ipf6.base.rules". The
end part of the rules file looks like this:

##########################
....
....
pass in quick proto ipv6-icmp all icmp-type 134 #Router advertisement
pass in quick proto ipv6-icmp all icmp-type 135 #Neighbor solicitation
pass in quick proto ipv6-icmp all icmp-type 136 #Neighbor advertisement
pass in quick proto ipv6-icmp all icmp-type 137 #Redirect from routers
pass in quick proto ipv6-icmp all icmp-type 2 #packet too big
block in quick all
pass out quick proto tcp all keep state
pass out quick proto udp all keep state
pass out quick proto ipv6-icmp all
block in quick proto ipv6-icmp all
##########################

This is what ipfstat prints out:

bash-3.2$ sudo ipfstat -6io
pass out quick on lo0 all
pass out quick on lofb all
pass out quick proto tcp/udp from any to any port = domain keep state
pass out quick proto tcp from any to any keep state
pass out quick proto udp from any to any keep state
pass out quick proto ipv6-icmp from any to any
pass in quick on lo0 all
pass in quick on lofb all
pass in quick from any to any with frag
pass in quick proto tcp/udp from any to any port = ntp keep state
pass in quick proto tcp from any to any port = https keep state
pass in quick proto tcp from any to any port = telnet keep state
pass in quick proto tcp from any to any port = ssh keep state
pass in quick proto tcp/udp from any to any port = sunrpc keep state
block return-rst in quick proto tcp from any to any port = auth
block in quick proto udp from any to any port = auth
block return-rst in quick proto tcp from any to any port = echo
block return-rst in quick proto tcp from any to any port = http
block return-rst in quick proto tcp from any to any port = kshell
block in quick proto udp from any to any port = http
pass in quick proto tcp/udp from any to any port > 1023 keep state
pass in quick proto ipv6-icmp from any to any
pass in quick proto ipv6-icmp from any to any
pass in quick proto ipv6-icmp from any to any
pass in quick proto ipv6-icmp from any to any
pass in quick proto ipv6-icmp from any to any
block in quick all
block in quick proto ipv6-icmp from any to any

Is it that ipfstat is not displaying the icmp-type for IPv6 or there's
something that's missing? Please let me know.

Questions 2: While specifying IPv4 and Ipv6 rules in two different files, is
it a must to include TCP rules in both (and make them same to have same
behavior)?


Best regards,

[Attachment #3 (text/html)]

Hi,<br><br>I have ipf version 4.1.28 on my system (FreeBSD7.2). I did search the \
archive and found something similar:<br><br><a \
href="http://marc.info/?l=ipfilter&amp;m=101246930105753&amp;w=2" class="external \
free" title="http://marc.info/?l=ipfilter&amp;m=101246930105753&amp;w=2" \
rel="nofollow">http://marc.info/?l=ipfilter&amp;m=101246930105753&amp;w=2</a><br> \
<br>In the rc.conf file I have ipv6_ipfilter_rules=&quot;/etc/ipf6.base.rules&quot;. \
The end part of the rules file looks like \
this:<br><br>##########################<br>.... <br>....<br>pass in quick proto \
ipv6-icmp all icmp-type 134 #Router advertisement<br> pass in quick proto ipv6-icmp \
all icmp-type 135 #Neighbor solicitation<br>pass in quick proto ipv6-icmp all \
icmp-type 136 #Neighbor advertisement<br>pass in quick proto ipv6-icmp all icmp-type \
137 #Redirect from routers<br> pass in quick proto ipv6-icmp all icmp-type 2 #packet \
too big<br>block in quick all<br>pass out quick proto tcp all keep state<br>pass out \
quick proto udp all keep state<br>pass out quick proto ipv6-icmp all<br>block in \
quick proto ipv6-icmp all<br> ##########################<br><br>This is what ipfstat \
prints out:<br><br>bash-3.2$ sudo ipfstat -6io<br>pass out quick on lo0 all<br>pass \
out quick on lofb all<br>pass out quick proto tcp/udp from any to any port = domain \
keep state<br> pass out quick proto tcp from any to any keep state<br>pass out quick \
proto udp from any to any keep state<br>pass out quick proto ipv6-icmp from any to \
any<br>pass in quick on lo0 all<br>pass in quick on lofb all<br>pass in quick from \
any to any with frag<br> pass in quick proto tcp/udp from any to any port = ntp keep \
state<br>pass in quick proto tcp from any to any port = https keep state<br>pass in \
quick proto tcp from any to any port = telnet keep state<br>pass in quick proto tcp \
from any to any port = ssh keep state<br> pass in quick proto tcp/udp from any to any \
port = sunrpc keep state<br>block return-rst in quick proto tcp from any to any port \
= auth<br>block in quick proto udp from any to any port = auth<br>block return-rst in \
quick proto tcp from any to any port = echo<br> block return-rst in quick proto tcp \
from any to any port = http<br>block return-rst in quick proto tcp from any to any \
port = kshell<br>block in quick proto udp from any to any port = http<br>pass in \
quick proto tcp/udp from any to any port &gt; 1023 keep state<br> pass in quick proto \
ipv6-icmp from any to any<br>pass in quick proto ipv6-icmp from any to any<br>pass in \
quick proto ipv6-icmp from any to any<br>pass in quick proto ipv6-icmp from any to \
any<br>pass in quick proto ipv6-icmp from any to any<br> block in quick all<br>block \
in quick proto ipv6-icmp from any to any<br><br>Is it that ipfstat is not displaying \
the icmp-type for IPv6 or there&#39;s something that&#39;s missing? Please let me \
know.<br><br>Questions 2: While specifying IPv4 and Ipv6 rules in two different \
files, is it a must to include TCP rules in both (and make them same to have same \
behavior)?<br> <br><br>Best regards,<br><br><br><br><br>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic