Strotmann.de
@cstrotm@mastodon.social | Github | Keybase | RSS feed
03 Apr 2011

Fixing the IPv6 Firewall on MacOS X 10.6

On MacOS X 10.6 (Snow Leopard), the IPv6 firewall command line utility 'ip6fw' is broken. It does not store filter rules for ICMPv6 types above type 127: 

# sudo ip6fw add 20020 allow ipv6-icmp from any to any in icmptype 1,2,3,4,128,129
20020 allow ipv6-icmp from any to any in icmptype 1,2,3,4

The command still worked on MacOS X 10.5. It turned out that Apple has compiled ip6fw for x86_64, a 64bit target. 

# file /sbin/ip6fw
/sbin/ip6fw: Mach-O universal binary with 3 architectures
/sbin/ip6fw (for architecture x86_64):  Mach-O 64-bit executable x86_64
/sbin/ip6fw (for architecture i386):    Mach-O executable i386
/sbin/ip6fw (for architecture ppc7400): Mach-O executable ppc

The code, forked from the FreeBSD project in 2001 (which got the original code from the KAME project), is not 64bit clean.

But there is an easy solution. As the file contains in an Universal binary the code for i386 (besides ppc and x86_64), it is possible to strip away the 64bit code (and the ppc code not needed on Intel MacOS X) to get a working copy of ip6fw: 

# sudo ditto --rsrc --arch i386 /sbin/ip6fw /sbin/ip6fw.i386
# sudo mv /sbin/ip6fw.i386 /sbin/ip6fw

Now it is possible to enter ICMPv6 filter rules for ICMPv6 types above 127: 

# sudo ip6fw add 20020 allow ipv6-icmp from any to any in icmptype 1,2,3,4,128,129 
20020 allow ipv6-icmp from any to any in icmptype 1,2,3,4,128,129
Other posts
Creative Commons License
strotmann.de by Carsten Strotmann is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License .