Configuring Firewall BSD/MacOS X?
Shadow Hawkins on Wednesday, 09 April 2008 02:19:11
Hi,
I am trying to configure the ip6 firewall on my Mac. The Mac is going to be acting as the router to my IPv6 subnet, connecting via aiccu. Currently what I have is as follows:
ip6fw -f flush
ip6fw add 1000 allow tcp from any to 2001:4978:15d::/64 ssh,http setup
ip6fw add 2100 allow ipv6 from 2001:4978:15d::/64 to any
ip6fw add 2200 allow ipv6 from fe80::/10 to any
ip6fw add 2300 allow ipv6-icmp from 2001:4978:15d::/64 to any
ip6fw add 2400 allow ipv6-icmp from fe80::/10 to any
ip6fw add 2500 allow tcp from any to any established
ip6fw add 3000 deny log ipv6 from any to 2001:4978:15d::/64
and I have activated logging with the help of:
sysctl -w net.inet6.ip6.fw.verbose=2
My issue is that I can not ping6 to machines outside of the network from the hosts of the network. I can ping6 to machines inside the network though. What I see in the system log is:
Apr 8 20:09:21 zanniati kernel[0]: ip6fw: 3000 Deny IPV6-ICMP:129.0 [2001:4860:0:1001::0068] [2001:4978:015d:0:0216:cbff:fe9f:dc47] in via tun0
I thought my rule 2300 would have taken care of that, but apparently it hasn't. Any ideas as to what I am doing wrong?
Configuring Firewall BSD/MacOS X?
Shadow Hawkins on Wednesday, 09 April 2008 02:31:52
I ended up getting things working. I found this useful reference:
http://horde.net/~jwm/software/misc/OS%20X%20Firewall%20StartupItem/Firewall
Changing the ipv6-icmp seems have resolved the issue. I made it so only pinging out is allowed. I also removed the rules of the form "fe80::/10 to any", since I am not even sure they are necessary here.
ip6fw -f flush
ip6fw add 1000 allow tcp from any to 2001:4978:15d::/64 ssh,http setup
ip6fw add 2100 allow ipv6 from 2001:4978:15d::/64 to any
ip6fw add 2200 allow ipv6-icmp from 2001:4978:15d::/64 to any icmptypes 1,2,3,128 in
ip6fw add 2300 allow tcp from any to any established
ip6fw add 3000 deny log ipv6 from any to 2001:4978:15d::/64
Configuring Firewall BSD/MacOS X?
Jeroen Massar on Wednesday, 09 April 2008 11:40:42
Do also not forget to set a null-route for your /48, eg using something like:
route add -A inet6 2001:4978:15d::/48 dev lo0
that avoids any incoming packets that are directed to something else than the /64 you are using to be send back to the PoP, which sends it back to you ad-infinitum till the HopCount becomes 0.
Next to that, do make sure your tunnel endpoint ping6s, so you need to allow pings from tunnel::1 to tunnel::2 and vice versa too.
Configuring Firewall BSD/MacOS X?
Shadow Hawkins on Wednesday, 09 April 2008 17:38:20
I'm used to being able to run nmap from an outside host to test my IPv4 pf rules. Are there any websites that provide similar IPv6 equivalents? I've used distributed traceroute6 from the sixxs tools site but it'd be handy to have a ping6 and/or port scan tool somewhere as well. It's not for lack of confidence in my own configuration; it's more of a confirmation that things are working as they should be.
Configuring Firewall BSD/MacOS X?
Shadow Hawkins on Thursday, 10 April 2008 04:46:54
What is the "-A" flag meant to do, since it does not seem be valid for the route command on MacOS X.
As for ip6fw, since I already have this:
ip6fw add 2200 allow ipv6-icmp from 2001:4978:15d::/64 to any icmptypes 1,2,3,128 in
this should be okay to allow the tunnel end point to ping6 to my subnet:
ip6fw add 2210 allow ipv6-icmp from 2001:4978:f:48::2/64 to any icmptypes 1,2,3,128 in
Posting is only allowed when you are logged in. |