From nobody@FreeBSD.org  Wed Aug 26 17:15:26 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5CA86106568C
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Aug 2009 17:15:26 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 4C4B18FC1C
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Aug 2009 17:15:26 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n7QHFP6O079988
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Aug 2009 17:15:25 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n7QHFPkj079987;
	Wed, 26 Aug 2009 17:15:25 GMT
	(envelope-from nobody)
Message-Id: <200908261715.n7QHFPkj079987@www.freebsd.org>
Date: Wed, 26 Aug 2009 17:15:25 GMT
From: Flemming Jacobsen <fj@batmule.dk>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [PATCH] Making rc.firewall (workstation) IPv6 aware
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         138208
>Category:       conf
>Synopsis:       [rc.d] [patch] Making rc.firewall (workstation) IPv6 aware
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-rc
>State:          patched
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 26 17:20:01 UTC 2009
>Closed-Date:    
>Last-Modified:  Fri Nov 02 12:29:13 UTC 2012
>Originator:     Flemming Jacobsen
>Release:        8.0-BETA2
>Organization:
>Environment:
FreeBSD heartofgold.batmule.dk 8.0-BETA2 FreeBSD 8.0-BETA2 #0: Tue Aug 18 18:27:44 CEST 2009     fj@heartofgold.batmule.dk:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
rc.firewall with firewall_type="WORKSTATION" does not allow IPv6 traffic.
This patch fixes that.

>How-To-Repeat:
In rc.conf, set:
  firewall_enable="YES"
  firewall_type="WORKSTATION"
Get IPv6 connectivity (tunnel or native).
Notice that ping6 (or any other IPv6 packet sending) fails with 'Permission denied'.
>Fix:
Apply attached patch

Patch attached with submission follows:

332c332
< 	${fwcmd} add pass tcp  from me to any established
---
> 	${fwcmd} add pass tcp   from \{ me or me6 \}	to any established
335,337c335,338
< 	${fwcmd} add pass tcp  from me to any setup keep-state
< 	${fwcmd} add pass udp  from me to any       keep-state
< 	${fwcmd} add pass icmp from me to any       keep-state
---
> 	${fwcmd} add pass tcp   from \{ me or me6 \}	to any setup keep-state
> 	${fwcmd} add pass udp   from \{ me or me6 \}	to any       keep-state
> 	${fwcmd} add pass icmp  from  me 		to any       keep-state
> 	${fwcmd} add pass icmp6 from  me6		to any       keep-state
345c346,349
< 	${fwcmd} add pass icmp from any to any icmptype 8
---
> 	${fwcmd} add pass icmp from any to any icmptypes 8
> 
> 	# Allow ICMP6 pings. Not really required, but done for 4/6 consistency
> 	${fwcmd} add pass icmp6 from any to any icmp6types 128
348c352,353
< 	${fwcmd} add pass icmp from any to any icmptype 3,4,11
---
> 	${fwcmd} add pass icmp from any to any icmptypes 3,4,11
> 	${fwcmd} add pass icmp6 from any to any icmp6types 1,2,3,4,133,134,135,136
363c368
< 	    ${fwcmd} add pass tcp from $i to me $j
---
> 	    ${fwcmd} add pass tcp from $i to \{ me or me6 \} $j
371c376
< 	  ${fwcmd} add pass ip from $i to me
---
> 	  ${fwcmd} add pass ip from $i to \{ me or me6 \}


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Aug 26 20:48:08 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138208 
State-Changed-From-To: open->patched 
State-Changed-By: crees 
State-Changed-When: Fri Nov 2 12:26:58 UTC 2012 
State-Changed-Why:  
The rc.firewall scripts went under very extensive changes since your PR, 
and rc.firewall6 has been removed completely.  This means that your 
patch doesn't apply, and is probably no longer necessary.  I'm sorry 
that your PR was left for so long. 

The changes will almost certainly never make it to stable/7, but that is 
not your issue. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138208 
>Unformatted:
