# ipfw rules to support IPv6



## manju_kalita (May 16, 2011)

Hi all,

I need to add udp and tcp rules to allow traffic through 53 (for DNS server) for IPv6 addresses on FreeBSD 7.1 (amd). ipfw is not accepting udp6/tcp6. I can add udp/tcp rules with IPv6 addresses, but traffic is not coming as expected. I added ip6 rules for those IPv6 interfaces, still DNS traffic is getting denied. 

Please help.

Thanks & Regards,
Manju


----------



## SirDice (May 16, 2011)

Post your rules please, so we can have a look. Obfuscate your addresses if needed.


----------



## manju_kalita (May 16, 2011)

I am getting the response when added (it allows all traffic, so expected)


```
allow ip from any to any
```

I tried the each of the following rules. There is no response from the server. 

1. 
	
	



```
allow udp from any to <server IPv6 address> dst-port 53 keep-state
```

2. 
	
	



```
allow ip6 from any to <server IPv6 address> dst-port 53 keep-state
```

3. 
	
	



```
allow ip from any to any dst-port 53 keep-state
```

4. 
	
	



```
allow ip6 from any to any dst-port 53 keep-state
```

Can't see any traffic when checked with *ipfw -d list*. It might be configuration issue.


----------



## andygui (Mar 20, 2012)

manju_kalita said:
			
		

> I need to add udp and tcp rules to allow traffic through 53 (for DNS server) for IPv6 addresses on FreeBSD 7.1 (amd). ipfw is not accepting udp6/tcp6. I can add udp/tcp rules with IPv6 addresses, but traffic is not coming as expected. I added ip6 rules for those IPv6 interfaces, still DNS traffic is getting denied.



You may wish to ensure that ipv6-icmp is enabled between the hosts for neighbor solicitation to function properly. You will need to implicitly enable it if your rule set defaults to deny.

Though this may not have helped you in time, hopefully it will help other users that are running into IPv6+IPFW issues and landing here.


----------



## RusDyr (Mar 26, 2012)

Probably you need also "*allow ip(6) from any to any established*". Did your check ipfw bytes/counts for each rule ("*ipfw show*")?
And at last, try to set options after the main body, so it will look like that (I check this on 8.2-STABLE, don't know is it works on 7.1):

```
allow ip6 from me6 to any proto udp dst-port 53 keep-state // Allow outgoing IPv6 DNS queries
allow ip6 from me6 to any proto udp src-port 53 keep-state // Allow outgoing IPv6 DNS answers

allow ip6 from any to me6 proto udp dst-port 53 keep-state // Allow incoming IPv6 DNS queries
allow ip6 from any to me6 proto udp src-port 53 keep-state // Allow incoming IPv6 DNS answers

allow ip6 from any to any established // Allow established and related session
```

Don't know that kind of server do you have: is it dns server or just dns client. I wrote rules for both


----------

