Firewall – FreeBSD 10 IPFW IPv6


I'm struggling to allow IPv6 connections on my FreeBSD 10 server.
I have a working IPv6 connection. But IPFW blocks all the IPv6 traffic.

# flush existing rules
ipfw -q flush
# allow established connections
ipfw -q add 1 check-state
# allow loopback traffic
ipfw -q add 2 allow all from any to any via lo0
# allow previously established TCP connections
ipfw -q add 3 allow tcp from any to any established
# public services inbound: 22/tcp (SSH) and 80/tcp (HTTP)
ipfw -q add 60100 set 1 allow tcp from any to me 22 in setup keep-state
ipfw -q add 60101 set 1 allow tcp from any to me 80 in setup keep-state
# allow all traffic going out
ipfw -q add 200 set 1 allow udp from me to any out keep-state
ipfw -q add 201 set 1 allow tcp from me to any out setup keep-state
# allow common ICMP types in and out
ipfw -q add 400 set 1 allow icmp from me to any icmptypes 0,3,8,11,12,13,14
ipfw -q add 401 set 1 allow icmp from any to me icmptypes 0,3,8,11,12,13,14
# allow tcp connections out on backup interface
ipfw -q add 500 set 1 allow tcp from any to any out via re1 setup keep-state
# deny everything else coming in
#ipfw -q add 999 set 1 deny all from any to any

How can I enable IPv6 for http and imcp in this setup?
Thanks in advance!

Best Answer

Your IPv6 traffic does not match any of the rules, therefore matches the last rule, which is an explicit deny rule.

First you need to make sure IPFW does process IPv6 traffic. This is done by enabling it using sysctl:

sysctl net.inet6.ip6.fw.enable=1

IPFW supports various IPv6 specific keywords, like me6 instead of me. So you may want to add rules like the following:

ipfw -q add 60102 set 1 allow tcp from any to me6 80 in setup keep-state
ipfw -q add 60103 set 1 allow tcp from any to me6 22 in setup keep-state

For more information on this topic, you may want to consult RULE FORMAT section on ipfw(8) man page: