Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: netbsd-7 ipfilter failure?

Greg Troxel wrote:
>Alan Barrett <> writes:
>> I can't find any documentation for the /etc/ipf6.conf file, so I don't
>> know what the intended semantics of /etc/ipf6.conf are. ("man
>> ipf6.conf" simply displays the ipf.conf man page, which does not
>> explain the ipf6.conf file.)  The implementation in /etc/rc.d/ipfilter
>> loads the ipf6.conf file with ipf(8) commands that use the "-6"
>> command line option, which is documented as "This option is required
>> to parse IPv6 rules and to have them loaded."
>> The "-6" option is not documented to imply that any rules in the file
>> are IPv6-only, so I think it's wrong to assume that rules in
>> /etc/ip6.conf are IPv6 firewall rules; they are simply firewall rules
>> that might or might not apply to IPv6, and you should further qualify
>> the rules with "family" clauses that match the desired address family,
>> or "from" or "to" clauses that imply an address family.
>My impression has always been that ipf6.conf is loaded with -6 and
>contains only IPv6 rules, and that ipf.conf is loaded without -6 and
>contains only IPv4 rules.  I have not found this confusing or
>troublesome.  On some systems I have fairly different v4 and v6 rules,
>and they have worked as expected (from a 2-table separate-world POV).
>Is there actually only one ruleset?   Are rules loaded with -6 actually
>evaluated for IPv4 packets?

There is only one ruleset and should be only one rule file, see this
email from Darren Reed:


Robert Swindells

Home | Main Index | Thread Index | Old Index