其他Linux/Unix/BSD/OSX等发行版讨论
-
drop
- 帖子: 14
- 注册时间: 2018-05-26 19:54
#1
帖子
由 drop » 2018-08-01 11:53
当dns为ipv6的时候:
代码: 全选
cat /etc/resolv.conf
nameserver 2001:4860:4860::8888
在没开防火墙的情况下,ping6 google.com和ping google.com都正常。开了防火墙之后,ping6 google.com和ping google.com等了半天都没有响应。
把dns改成ipv4后:
代码: 全选
cat /etc/resolv.conf
nameserver 8.8.8.8
ping google.com就正常了。但用不了ipv6。
请问我防火墙的规则错在哪里了?
代码: 全选
cat /etc/rc.conf
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
代码: 全选
cat /etc/ipfw.rules
cmd="ipfw -q add"
pif="dc0"
$cmd 00010 allow all from any to any via lo0
$cmd 00101 check-state
$cmd 00110 allow tcp from any to any 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to any 53 out via $pif keep-state
$cmd 00250 allow icmp from any to any out via $pif keep-state
$cmd 00251 allow icmp6 from any to any out via $pif keep-state
$cmd 00999 deny log all from any to any
-
astolia
- 论坛版主
- 帖子: 6445
- 注册时间: 2008-09-18 13:11
#2
帖子
由 astolia » 2018-08-01 16:33
手动允许echo reply的数据进入试一下呢?
代码: 全选
$cmd 00252 allow icmp6 from any to any in via $pif icmp6types 129
-
drop
- 帖子: 14
- 注册时间: 2018-05-26 19:54
#3
帖子
由 drop » 2018-08-02 7:53
astolia 写了: ↑2018-08-01 16:33
手动允许echo reply的数据进入试一下呢?
代码: 全选
$cmd 00252 allow icmp6 from any to any in via $pif icmp6types 129
发现只需把/etc/rc.firewall里开头这几行搬进去就可以了:
代码: 全选
# Only in rare cases do you want to change these rules
#
# ND
#
# DAD
${fwcmd} add pass ipv6-icmp from :: to ff02::/16
# RS, RA, NS, NA, redirect...
${fwcmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
${fwcmd} add pass ipv6-icmp from fe80::/10 to ff02::/16
# Allow ICMPv6 destination unreachable
${fwcmd} add pass ipv6-icmp from any to any icmp6types 1
# Allow NS/NA/toobig (don't filter it out)
${fwcmd} add pass ipv6-icmp from any to any icmp6types 2,135,136