ipfilter in IPv6Mode DenyAllButLocal allows only link-local multicast
| Originator: | mdwoernhard | ||
| Number: | rdar://8217369 | Date Originated: | 2010-07-21 20:08 |
| Status: | Open | Resolved: | |
| Product: | Mac OS X Server | Product Version: | 10F569 |
| Classification: | Other bug | Reproducible: | Always |
Summary: The Mac OS X Server Network Services Administration Manual, page 90 (in the middle) states: "By default, the IPv6Mode key has the string set to DenyAllExceptLocal. This setting applies the following rules, which denies all IPv6 traffic but permits local network traffic (...)". This is wrong - the only traffic getting allowed is ff02::/16 which is link-local multicast network! Local traffic comes either from fc80::/10 (link-local unicast) or fc00::/7 (Unique Local unicast, formerly site-local). Therefore, the firewall does not allow meaningful local traffic. Steps to Reproduce: 1. Check Mac OS X Server Network Services Administration Manual, page 90 (in the middle) 2. It states correctly that when IPv6Mode in /etc/ipfilter/ip_address_groups.plist is set to DenyAllExceptLocal, the file cat /etc/ipfilter/ip6fw.conf.apple contains after a restart the line "add 1100 allow all from any to ff02::/16" 3. This is supposed to allow local traffic, but ff02::/16 is a link-local multicast-address (see http://www.iana.org/assignments/ipv6-multicast-addresses/) 4. Real local traffic is unicast, not multicast and will most probably come from fc00::/7 (Unique Local Address, ULA) Expected Results: Local IPv6 unicast traffic should be allowed. Actual Results: Link-local IPv6 multicast traffic is allowed. Regression: Unknown Notes:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!