Re: Packet Filtering

To: Robert Swindells <rjs%fdy2.co.uk@localhost>
Subject: Re: Packet Filtering
From: Darren Reed <darrenr%netbsd.org@localhost>
Date: Mon, 29 Oct 2012 00:55:01 +0100

Robert,

On Sun, Oct 28, 2012, at 04:15 PM, Robert Swindells wrote:
...
> I just want to run NAT on IPv4 and to block everything except a small
> list of ports from outside on both IPv4 and IPv6, I can't believe this
> is all that unusual.

Anything involving IPv6 is pretty much "unusual" at this point in time.
People are getting excited when they see that the percentage of IPv6
users is in the single digit percentage range.

> IPF seemed to work ok until the update to 5.1.1. After this I was
> unable to get IPv6 to work while still blocking most IPv4 ports.

The update of IPFilter to 5.1.1 has meant that the same
configuration file is used for both IPv6 and IPv4. Some
rules will apply to both IPv6 and IPv4 packets where before
they only applied to IPv4 or IPv6. Whilst it is easy to mark
all of the rules from ipf6.conf as being IPv6 only, it is
substantially harder to decide that rules which are amibiguous
about which IP protocol family they pertain to for rules that
are from ipf.conf. IPv6 rules from ipf6.conf are loaded with
the "-6" switch on ipf(8)'s CLI but for IPv4 or combined IPv4
and IPv6 rules in ipf.conf, there is no CLI option.

Additionally, I need to check for documentation of ipf6.conf
in current and mention that this file is historical in nature
and should no longer be used.

If you currently have both ipf.conf and ipf6.conf, merge them
into one file - ipf.conf. This should help you rationalise what
your rules actually are. For example, I suspect that your "block
any" rule for ipf.conf is now impacting IPv6 whereas before it
had no impact on IPv6 packets.

The parsing of ipf.conf will attempt to determine what protocol
family a rule should be in based on the format of the IP address
in the rule but in some cases, it is necessary to formally state
whether it is an IPv4 or IPv6 rule. Examples of that are when
writing a rule to match ICMP ECHO packets because the type code
for IPv4 and IPv6 is different.

If you've got more questions, keep asking...

Darren

Follow-Ups:
- Re: Packet Filtering
  - From: Mouse

References:
- Packet Filtering
  - From: Robert Swindells

Prev by Date: Re: Packet Filtering
Next by Date: Re: Introducing NPF in NetBSD 6.0
Previous by Thread: Re: Packet Filtering
Next by Thread: Re: Packet Filtering
Indexes:

Home | Main Index | Thread Index | Old Index