Re: netbsd-7 ipfilter failure?

[Alan Barrett <apb%cequrux.com@localhost>]

On Sun, 26 Oct 2014, 6bone%6bone.informatik.uni-leipzig.de@localhost wrote:
> I am trying to configure an ipv6 only host. To block the ipv4 
> traffic I added the following filter to /etc/ipf.conf:
>
> block in on ixg0
>
> The filter works, but also blocks ipv6 traffic. So I tried to 
> enable ipv6 in /etc/ipf6.conf with
>
> pass in on ixg0
>
> This enables all traffic, ipv4 and ipv6.

I would add "family inet" to rules that are intended to apply only to
IPv4, and "family inet6" to rules that are intended to apply only to
IPv6.  Something like this (not tested):

   block in on ixg0 family inet
   pass in on ixg0 family inet6

> Is this an intentional behavior? In my opinion it is a security 
> risk if ipv6 firewall rules can break ipv4 rules.

I can't find any documentation for the /etc/ipf6.conf file, so 
I don't know what the intended semantics of /etc/ipf6.conf are. 
("man ipf6.conf" simply displays the ipf.conf man page, which 
does not explain the ipf6.conf file.)  The implementation in 
/etc/rc.d/ipfilter loads the ipf6.conf file with ipf(8) commands 
that use the "-6" command line option, which is documented as 
"This option is required to parse IPv6 rules and to have them 
loaded."

The "-6" option is not documented to imply that any rules in 
the file are IPv6-only, so I think it's wrong to assume that 
rules in /etc/ip6.conf are IPv6 firewall rules; they are simply 
firewall rules that might or might not apply to IPv6, and you 
should further qualify the rules with "family" clauses that match 
the desired address family, or "from" or "to" clauses that imply 
an address family.

--apb (Alan Barrett)