Date: Wed, 29 Oct 2014 02:56:56 -0400
From: Alan Barrett <apb%cequrux.com@localhost>
To: current-users%netbsd.org@localhost
Subject: Re: netbsd-7 ipfilter failure?
On Sun, 26 Oct 2014, 6bone%6bone.informatik.uni-leipzig.de@localhost wrote:
I am trying to configure an ipv6 only host. To block the ipv4 traffic I
added the following filter to /etc/ipf.conf:
block in on ixg0
The filter works, but also blocks ipv6 traffic. So I tried to enable ipv6
in /etc/ipf6.conf with
pass in on ixg0
This enables all traffic, ipv4 and ipv6.
I would add "family inet" to rules that are intended to apply only to
IPv4, and "family inet6" to rules that are intended to apply only to
IPv6. Something like this (not tested):
block in on ixg0 family inet
pass in on ixg0 family inet6
Is this an intentional behavior? In my opinion it is a security risk if
ipv6 firewall rules can break ipv4 rules.
I can't find any documentation for the /etc/ipf6.conf file, so I don't know
what the intended semantics of /etc/ipf6.conf are. ("man ipf6.conf" simply
displays the ipf.conf man page, which does not explain the ipf6.conf file.)
The implementation in /etc/rc.d/ipfilter loads the ipf6.conf file with ipf(8)
commands that use the "-6" command line option, which is documented as "This
option is required to parse IPv6 rules and to have them loaded."
The "-6" option is not documented to imply that any rules in the file are
IPv6-only, so I think it's wrong to assume that rules in /etc/ip6.conf are
IPv6 firewall rules; they are simply firewall rules that might or might not
apply to IPv6, and you should further qualify the rules with "family" clauses
that match the desired address family, or "from" or "to" clauses that imply
an address family.
--apb (Alan Barrett)