IPF, IPv6 and a bridge

• Previous message: Hanna, Dallas: "NEC 1300A DVD-R writing"
• Next in thread: David Malone: "Re: IPF, IPv6 and a bridge"
• Reply: David Malone: "Re: IPF, IPv6 and a bridge"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Fri, 30 Jan 2004 09:38:08 +0100
To: freebsd-stable@freebsd.org

Hello,

I have built a VPN with some friends, we have all have a tap-device that
handles data for the VPN. The tap-device is bridged to our local network
interfaces. e.g.:

net.link.ether.bridge_cfg: tap1,fxp0
net.link.ether.bridge: 1
net.link.ether.bridge_ipf: 1

Now some of my friends also have an IPv6 tunnel set up, just like me and
are running rtadvd to give their internal network IPv6 addresses and
routes. The point is that it goes across the entire VPN. So the hosts in my
network get routes and IP's out of the prefixes of friends, which in most
cases makes traffic with the outside world through IPv6 impossible. Now
what i want my IPF to do is to block all the router advertisements coming
in on tap1. Easier done than said. A simple rule:

block in quick on tap1 all.

Load it with ipf -6 and it works as a IPv6 rule. This works for the machine
with the TAP device in it. It doesn't get an IP or a route from anybody
else anymore, but it doesn't prevent the router advertisements from going to
the rest of my hosts. I even tried to block ipv6-icmp and load it with the
IPv4 rules, still the same. IPv4 however seems to block like a charm,
blocking DHCP to prevent other hosts from getting an IP of my network or
making sure my network doesn't get IP's from other networks seems to work
fine. I'm lost. ipfw doesn't seem to block router advertisements on a
bridge either. Is this just a problem with both those firewall tools or is
it a problem in FreeBSD?

thanks in advance,
Jeroen Ubbink
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"

• Previous message: Hanna, Dallas: "NEC 1300A DVD-R writing"
• Next in thread: David Malone: "Re: IPF, IPv6 and a bridge"
• Reply: David Malone: "Re: IPF, IPv6 and a bridge"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Setting up a multi-platform VPN? ... I am in business with a couple of friends of mine, and to that end we are ... people who are working from home can access the office network directly. ... I use FreeBSD ... Now, with my knowledge of VPN, I know ... (freebsd-net) Setting up a multi-platform VPN? ... I am in business with a couple of friends of mine, and to that end we are ... people who are working from home can access the office network directly. ... I use FreeBSD ... Now, with my knowledge of VPN, I know ... (freebsd-questions) Re: [Full-disclosure] Remote Desktop Command Fixation Attacks ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ... (Full-Disclosure) TidBITS#792/15-Aug-05 ... We also note the release of Security Update 2005-007, ... Macintosh FTP client, free for educational and charitable use. ... mentioned virtual private network (VPN) technologies. ... (comp.sys.mac.digest) RE: VPN Error 800 ... The VPN client IP is 10.0.1.40, this is a private IP address. ... server IP address is 81.137.105.244, this is a Internet IP address. ... not test VPN connection from your perimeter network. ... SBS on your switch to make it work. ... (microsoft.public.windows.server.sbs)