• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Snow Leopard Server firewall and IPv6

Started by derby, August 06, 2011, 08:31:28 PM

Previous topic - Next topic

derby

I have two Mac Minis running Snow Leopard Server.  There are two network interfaces on each machine, en0 is the ethernet port with a routable ipv4 address, en2 is a USB to ethernet adapter on the internal network that routes to the outside world via an IPv6 tunnel set up on a Cisco 871 router.

I can ping6 Google's IPv6 address from OS X clients running Lion without any problems and connect to ipv6 test web sites so I know my ipv6 tunnel on the CISCO 871 is working.  I can't ping6 from the Snow Leopard Server machines. 

I suspect from reading a variety of somewhat related postings here and there and the messages from Snow Leopard Server the firewall is blocking IPv6 traffic.  Is this a good guess?

If so, has anyone developed a set of firewall rules (settings) for Snow Leopard Server for allowing IPv6 outbound traffic pass on to the internet  but block all ipv6 inbound traffic except ports 80 and 443?

Following is the output of a ping6 to ipv6.google.com on Snow Leopard Server.  A traceroute6 also fails with Permission denied:

box1:~ admin$ ping6 ipv6.google.com                                                         
PING6(56=40+8+8 bytes) 2001:470:8:aaa:bbb:cccc:dddd:eeee --> 2001:4860:8006::69
ping6: sendmsg: Permission denied
ping6: wrote ipv6.l.google.com 16 chars, ret=-1
Request timeout for icmp_seq=0
ping6: sendmsg: Permission denied
ping6: wrote ipv6.l.google.com 16 chars, ret=-1
Request timeout for icmp_seq=1
ping6: sendmsg: Permission denied
ping6: wrote ipv6.l.google.com 16 chars, ret=-1
Request timeout for icmp_seq=2
ping6: sendmsg: Permission denied
ping6: wrote ipv6.l.google.com 16 chars, ret=-1

cholzhauer

The only thing you need to do to enable the tunnel is to allow protocol41  (You'll need to enable ICMP so HE can ping you)

derby

The tunnel is enabled and runs just fine on a CISCO 8xx router. Getting the 8xx router to work is another story fixed by upgrading IOS to a level that supports routing over a BVI interface, but it works fine and an iPad, iPhone and 2 Mac computers running OS X Lion are working just great.

The two Mac Minis running Snow Leopard Server with 2 interfaces, LAN and WAN, acquire IPv6 addresses and the CISCO's address for routing.  So the challenge is to get Snow Leopard Leopard to route IPv6 traffic to the tunnel on the Cisco 8xx router.

If protocol 41 needs to be allowed to pass on the LAN side from the OS X Server to the CISCO BVI interface how does one do that?  There is nothing in OS X Server Admin to view, enable or disable Protocol 41 or to control IP traffic on the LAN side.  Does the OS X Server firewall block all IPv6 traffic including LAN traffic?

cholzhauer

Oh sorry, I read your post wrong.

You don't need to do anything with protocol41 behind your router.  Is it a firewall issue or a routing issue? What happens if you disable the firewall and test?

derby

I think I'm facing a routing issue.  The IPv6 traffic is on the LAN and handled by the CISCO 8xx router.  The LAN interface on the Mac Mini is the secondary usb/ethernet interface.  I don't know how to tell the Mac Mini running Snow Leopard Server to send all IPv6 traffic to the secondary usb/ethernet interface.

Since the IPv6 traffic is now being sent to the primary interface it just might work if I disable the Firewall since all IPv6 addresses are internet routable....  will check tonight and see.  However,  I really want to keep the IPv6 traffic on the LAN if at all possible so I only have to maintain firewall rules in one place, the CISCO router.

If you or someone reading this knows the syntax to tell the Snow Leopard Server to route ipv6 traffic to the usb/ethernet port, that would be wonderful information.


cholzhauer


derby

The two interfaces on the MacMini running Snow Leopard Server are en0 (ethernet) connected to the WAN and en2 (USB/Ethernet) connected to the LAN.

en2 shows an IPv6 address and the CISCO router's link-local address for routing.  DNS is propagated correctly for OPENDNS ipv6 sandbox DNS servers.

If I turn off the firewall ping6, traceroute6 and web browsing to ipv6 sites works just fine.  So the machine is set to use en0 for IPv6 traffic even though en2 has the IPv6 address and router address.

I tried turning ipv6 off on en0 with this command:  /usr/sbin/ip6 -d en0
But that made no difference, the ipv6 requests were still pushed to the firewall

I tried using this route command:

route add -inet6 default -interface en2

But that made no difference.

So not sure what to do next.

tchxhe

If it is the firewall, you have to allow the traffic you want to pass in/out to/from your server. On a Mac a new boot or using the firewall GUI in serveradmin (even if you change only an ipv4 rule) resets the firewall for ipv6 to default values. On my server the default is local traffic allowed, external traffic blocked. I made a shell script which sets the firewall rules and execute this script after a new boot, so my firewall is set.
You can list your firewall settings in the terminal with 'sudo ip6fw list' and add new rules with 'sudo ip6fw add ...' (see 'man ip6fw' for syntax).

cconn


ferry1

as for me, i can recommend to use this prog http://www.protemac.com/netmine/, it works really great!)

derby

cconn, I'm using c870-advipservicesk9-mz.151-4.M1.bin

Since upgrading the router memory to 128K and upgrading IOS, IPV6 now works on my 871W.

derby

ferry1,

I would be hesitant to use a 3rd party firewall on Snow Leopard Server.  I have found a great program, WaterRoof,  that provides a GUI interface to the Snow Leopard Server.  With WaterRoof, one click shows you the IPv6 rules that Server Admin does not show and you can see that one of the default rules is to block all IPv6 traffic.  So what I thought was a routing problem at first turned out to be a firewall problem.  The Snow Leopard Server firewall blocks all IPv6 traffic unless you delete the blocking rule, which is one click to see it with WaterRoof and one more click to delete the rule.