Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: netbsd-7 ipfilter failure?

I changed /etc/ipf.conf to:

block in on ixg0 inet

/etc/ipf6.conf to:

pass int on ixg0 inet6

now 'ipfstat -i -o' reports:

# empty list for ipfilter(out)
block in on ixg0 inet all

'ipfstat -i -o -6' reports:

# empty list for ipfilter(out)
pass in on ixg0 inet6 all

Unfortunately ipv4 is working anymore. 'ipfstat -h ....' indicates, that ipv4 packets are matching to the ipv4 and ipv6 chain.


On Wed, 29 Oct 2014, Alan Barrett wrote:

Date: Wed, 29 Oct 2014 02:56:56 -0400
From: Alan Barrett <>
Subject: Re: netbsd-7 ipfilter failure?

On Sun, 26 Oct 2014, wrote:
I am trying to configure an ipv6 only host. To block the ipv4 traffic I added the following filter to /etc/ipf.conf:

block in on ixg0

The filter works, but also blocks ipv6 traffic. So I tried to enable ipv6 in /etc/ipf6.conf with

pass in on ixg0

This enables all traffic, ipv4 and ipv6.

I would add "family inet" to rules that are intended to apply only to
IPv4, and "family inet6" to rules that are intended to apply only to
IPv6.  Something like this (not tested):

  block in on ixg0 family inet
  pass in on ixg0 family inet6

Is this an intentional behavior? In my opinion it is a security risk if ipv6 firewall rules can break ipv4 rules.

I can't find any documentation for the /etc/ipf6.conf file, so I don't know what the intended semantics of /etc/ipf6.conf are. ("man ipf6.conf" simply displays the ipf.conf man page, which does not explain the ipf6.conf file.) The implementation in /etc/rc.d/ipfilter loads the ipf6.conf file with ipf(8) commands that use the "-6" command line option, which is documented as "This option is required to parse IPv6 rules and to have them loaded."

The "-6" option is not documented to imply that any rules in the file are IPv6-only, so I think it's wrong to assume that rules in /etc/ip6.conf are IPv6 firewall rules; they are simply firewall rules that might or might not apply to IPv6, and you should further qualify the rules with "family" clauses that match the desired address family, or "from" or "to" clauses that imply an address family.

--apb (Alan Barrett)

Home | Main Index | Thread Index | Old Index