# IPFW & IPv6



## DenBeke (Jun 6, 2014)

I'm struggling to allow IPv6 connections on my FreeBSD 10 server.
I have a working IPv6 connection. But IPFW blocks all the IPv6 traffic.


```
#!/bin/sh
#
# flush existing rules
ipfw -q flush
# allow established connections
ipfw -q add 1 check-state
# allow loopback traffic
ipfw -q add 2 allow all from any to any via lo0
# allow previously established TCP connections
ipfw -q add 3 allow tcp from any to any established
#
# public services inbound: 22/tcp (SSH) and 80/tcp (HTTP)
ipfw -q add 60100 set 1 allow tcp from any to me 22 in setup keep-state
ipfw -q add 60101 set 1 allow tcp from any to me 80 in setup keep-state
#
# allow all traffic going out
ipfw -q add 200 set 1 allow udp from me to any out keep-state
ipfw -q add 201 set 1 allow tcp from me to any out setup keep-state
#
# allow common ICMP types in and out
ipfw -q add 400 set 1 allow icmp from me to any icmptypes 0,3,8,11,12,13,14
ipfw -q add 401 set 1 allow icmp from any to me icmptypes 0,3,8,11,12,13,14
#
# allow tcp connections out on backup interface
ipfw -q add 500 set 1 allow tcp from any to any out via re1 setup keep-state
#
# deny everything else coming in
#ipfw -q add 999 set 1 deny all from any to any
```

How can I enable IPv6 for http and imcp in this setup?
Thanks in advance!


----------



## ensō (May 24, 2017)

Did you ever figure this out? I'm having the same issue on version 11 except I only need to enable IPV6 over SSH.... Any knowledge you can share?


----------



## SirDice (May 24, 2017)

Don't expect a response any time soon. The OP has been seen since he asked that question almost 3 years ago.


----------



## JKallen (Mar 4, 2018)

I am having the same problem. I am running 11.1. I have copied all my original ipfw rules for ip4 and modified for ip6 and i cannot hit my jails from outside of the host. I have IPv6 enabled in /etc/rc.conf. I also have the ipv6 firewall enabled along with the related sysctl variables. It’s definitely the firewall because when i turn it off i can tcpdump the traffic. I have scoured the web for 3 days and can’t find much about ipfw and IPv6. However I’m too stubborn to switch to  ipf. Do you know of any resources on the web that address ipfw in depth? I can’t even find a book on it.

Thanks in advance.


----------



## fernandel (Mar 4, 2018)

Maybe it's a helpful:
https://serverfault.com/questions/605004/freebsd-10-ipfw-ipv6/747971


----------



## JKallen (Mar 5, 2018)

Funny. I actually already stumbled across this article. Symptomatically very similar to what i was dealing with. 

It turns out that IPV6 uses ICMP as a part of the solicitation and advertising process. So if ICMP is denied in ipv6, after you have a client browser hit a website for instance, it will continue to refresh the page. However if ICMP is denied via firewall before hitting the webpage from a client, the browser never receives a response. So what i am currently working on is determining the bare minimum ICMP i have to allow through my firewall to make things work. I’m accomplishing this fairly slowly using tcpdump and all the documentation out their for ipv6.

Thanks for your response!


----------



## SirDice (Mar 5, 2018)

IPv4 used ARP to find out which MAC address belongs to a certain IP address. IPv6 doesn't use ARP but uses IPv6 Neighbor Discovery instead. This works via IPv6 ICMP.

https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol


----------



## JKallen (Mar 5, 2018)

So all those experts out there who say just use ip6 or me6 in place of ip or me aren’t entirely correct


----------



## SirDice (Mar 5, 2018)

For the most part it works the same, it's just that some details are slightly different.


----------



## JKallen (Mar 5, 2018)

Btw i stumble on tons of discussions with your provided solutions. I have learned a great deal from you over the years


SirDice said:


> IPv4 used ARP to find out which MAC address belongs to a certain IP address. IPv6 doesn't use ARP but uses IPv6 Neighbor Discovery instead. This works via IPv6 ICMP.
> 
> https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol


 

I have run across tons of discussions with solutions you have provided over the years. Your knowledge is pretty freaking awesome. I have learned tons from you. Thank you very much.

This forum is great. My hosting company did away with FreeBSD.  I actually forced my hosting company to let me continue with FreeBSD rather than switching to another Unix OS, under threat of leaving, because i love this product. I love the control over the ports, the structure, organization, rigor, and this support forum. I’m very loyal to FreeBSD entirely because of contributors like you. So thank you very much!


----------

